Appendix F. Sample 'defaultfilter.pf' File

Appendix F. Sample defaultfilter.pf File

The following is a sample default filter INSPECT script.

// IP source and destination
#define src [12,b]
#define dst [16,b]

// TCP or UDP source and destination ports
#define sport [20:2,b]
#define dport [22:2,b]

// IP protocol
#define ip_p [9:1]

// Table for recording outgoing sessions. Incoming packets are
// matched against this table.

connections = dynamic refresh expires 300;

// The following two rules deal with outgoing and incoming
// packets in which the IP source and destination are the same as
// well as connections originating from the firewall going to tcp
// port 256 (e.g., for fetching the security policy from the
// management console) or to tcp port 22 (for ssh access). The
// first rule accepts and records such outgoing packets. The
// second rule accepts such packets if a matching packet was
// previously recorded.

<= all@all
   accept (
     (src = dst,
      record <0,src,ip_p,sport,dport> in connections)
        or
     (ip_p = 6, dport = 256 or dport = 22,
      record <src,dst,ip_p,sport,dport> in connections)
     );
=> all@all
   accept (
     (src = dst,
     <0,src,ip_p,sport,dport> in connections)
        or
     (ip_p = 6, sport = 256 or sport = 22,
     <dst,src,ip_p,dport,sport> in connections)
);

// The next rule just drops everything else.
drop;