The following is a sample default filter INSPECT script.
// IP source and destination #define src [12,b] #define dst [16,b] // TCP or UDP source and destination ports #define sport [20:2,b] #define dport [22:2,b] // IP protocol #define ip_p [9:1] // Table for recording outgoing sessions. Incoming packets are // matched against this table. connections = dynamic refresh expires 300; // The following two rules deal with outgoing and incoming // packets in which the IP source and destination are the same as // well as connections originating from the firewall going to tcp // port 256 (e.g., for fetching the security policy from the // management console) or to tcp port 22 (for ssh access). The // first rule accepts and records such outgoing packets. The // second rule accepts such packets if a matching packet was // previously recorded. <= all@all accept ( (src = dst, record <0,src,ip_p,sport,dport> in connections) or (ip_p = 6, dport = 256 or dport = 22, record <src,dst,ip_p,sport,dport> in connections) ); => all@all accept ( (src = dst, <0,src,ip_p,sport,dport> in connections) or (ip_p = 6, sport = 256 or sport = 22, <dst,src,ip_p,dport,sport> in connections) ); // The next rule just drops everything else. drop;