Aren
/
NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

import pf from OpenBSD 3.6. (userland part)

This commit is contained in:
yamt 2004-11-14 11:08:58 +00:00
parent 3e90bb8279
commit 533d14a1b9
23 changed files with 7089 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
dist/pf/etc/pf.conf vendored Normal file
View File

@ -0,0 +1,31 @@
# $OpenBSD: pf.conf,v 1.28 2004/04/29 21:03:09 frantzen Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
#ext_if="ext0"
#int_if="int0"
#table <spamd> persist
#table <spamd-white> persist
#scrub in
#nat on $ext_if from !($ext_if) -> ($ext_if:0)
#rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
#rdr pass on $ext_if proto tcp from <spamd> to port smtp \
# -> 127.0.0.1 port spamd
#rdr pass on $ext_if proto tcp from !<spamd-white> to port smtp \
# -> 127.0.0.1 port spamd
#block in
#pass out keep state
#pass quick on { lo $int_if }
#antispoof quick for { lo $int_if }
#pass in on $ext_if proto tcp to ($ext_if) port ssh keep state
#pass in on $ext_if proto tcp to ($ext_if) port > 49151 user proxy keep state
#pass in log on $ext_if proto tcp to ($ext_if) port smtp keep state
#pass out log on $ext_if proto tcp from ($ext_if) to port smtp keep state

642
dist/pf/etc/pf.os vendored Normal file
View File

@ -0,0 +1,642 @@
# $OpenBSD: pf.os,v 1.17 2004/04/28 01:01:27 deraadt Exp $
# passive OS fingerprinting
# -------------------------
#
# SYN signatures. Those signatures work for SYN packets only (duh!).
#
# (C) Copyright 2000-2003 by Michal Zalewski <lcamtuf@coredump.cx>
# (C) Copyright 2003 by Mike Frantzen <frantzen@w4g.org>
#
# Permission to use, copy, modify, and distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
#
#
# This fingerprint database is adapted from Michal Zalewski's p0f passive
# operating system package. The last database sync was from a Nov 3 2003
# p0f.fp.
#
#
# Each line in this file specifies a single fingerprint. Please read the
# information below carefully before attempting to append any signatures
# reported as UNKNOWN to this file to avoid mistakes.
#
# We use the following set metrics for fingerprinting:
#
# - Window size (WSS) - a highly OS dependent setting used for TCP/IP
# performance control (max. amount of data to be sent without ACK).
# Some systems use a fixed value for initial packets. On other
# systems, it is a multiple of MSS or MTU (MSS+40). In some rare
# cases, the value is just arbitrary.
#
# NEW SIGNATURE: if p0f reported a special value of 'Snn', the number
# appears to be a multiple of MSS (MSS*nn); a special value of 'Tnn'
# means it is a multiple of MTU ((MSS+40)*nn). Unless you notice the
# value of nn is not fixed (unlikely), just copy the Snn or Tnn token
# literally. If you know this device has a simple stack and a fixed
# MTU, you can however multiply S value by MSS, or T value by MSS+40,
# and put it instead of Snn or Tnn.
#
# If WSS otherwise looks like a fixed value (for example a multiple
# of two), or if you can confirm the value is fixed, please quote
# it literally. If there's no apparent pattern in WSS chosen, you
# should consider wildcarding this value.
#
# - Overall packet size - a function of all IP and TCP options and bugs.
#
# NEW SIGNATURE: Copy this value literally.
#
# - Initial TTL - We check the actual TTL of a received packet. It can't
# be higher than the initial TTL, and also shouldn't be dramatically
# lower (maximum distance is defined as 40 hops).
#
# NEW SIGNATURE: *Never* copy TTL from a p0f-reported signature literally.
# You need to determine the initial TTL. The best way to do it is to
# check the documentation for a remote system, or check its settings.
# A fairly good method is to simply round the observed TTL up to
# 32, 64, 128, or 255, but it should be noted that some obscure devices
# might not use round TTLs (in particular, some shoddy appliances use
# "original" initial TTL settings). If not sure, you can see how many
# hops you're away from the remote party with traceroute or mtr.
#
# - Don't fragment flag (DF) - some modern OSes set this to implement PMTU
# discovery. Others do not bother.
#
# NEW SIGNATURE: Copy this value literally.
#
# - Maximum segment size (MSS) - this setting is usually link-dependent. P0f
# uses it to determine link type of the remote host.
#
# NEW SIGNATURE: Always wildcard this value, except for rare cases when
# you have an appliance with a fixed value, know the system supports only
# a very limited number of network interface types, or know the system
# is using a value it pulled out of nowhere. Specific unique MSS
# can be used to tell Google crawlbots from the rest of the population.
#
# - Window scaling (WSCALE) - this feature is used to scale WSS.
# It extends the size of a TCP/IP window to 32 bits. Some modern
# systems implement this feature.
#
# NEW SIGNATURE: Observe several signatures. Initial WSCALE is often set
# to zero or other low value. There's usually no need to wildcard this
# parameter.
#
# - Timestamp - some systems that implement timestamps set them to
# zero in the initial SYN. This case is detected and handled appropriately.
#
# - Selective ACK permitted - a flag set by systems that implement
# selective ACK functionality.
#
# - The sequence of TCP all options (MSS, window scaling, selective ACK
# permitted, timestamp, NOP). Other than the options previously
# discussed, p0f also checks for timestamp option (a silly
# extension to broadcast your uptime ;-), NOP options (used for
# header padding) and sackOK option (selective ACK feature).
#
# NEW SIGNATURE: Copy the sequence literally.
#
# To wildcard any value (except for initial TTL or TCP options), replace
# it with '*'. You can also use a modulo operator to match any values
# that divide by nnn - '%nnn'.
#
# Fingerprint entry format:
#
# wwww:ttt:D:ss:OOO...:OS:Version:Subtype:Details
#
# wwww - window size (can be *, %nnn, Snn or Tnn). The special values
# "S" and "T" which are a multiple of MSS or a multiple of MTU
# respectively.
# ttt - initial TTL
# D - don't fragment bit (0 - not set, 1 - set)
# ss - overall SYN packet size
# OOO - option value and order specification (see below)
# OS - OS genre (Linux, Solaris, Windows)
# Version - OS Version (2.0.27 on x86, etc)
# Subtype - OS subtype or patchlevel (SP3, lo0)
# details - Generic OS details
#
# If OS genre starts with '*', p0f will not show distance, link type
# and timestamp data. It is useful for userland TCP/IP stacks of
# network scanners and so on, where many settings are randomized or
# bogus.
#
# If OS genre starts with @, it denotes an approximate hit for a group
# of operating systems (signature reporting still enabled in this case).
# Use this feature at the end of this file to catch cases for which
# you don't have a precise match, but can tell it's Windows or FreeBSD
# or whatnot by looking at, say, flag layout alone.
#
# Option block description is a list of comma or space separated
# options in the order they appear in the packet:
#
# N - NOP option
# Wnnn - window scaling option, value nnn (or * or %nnn)
# Mnnn - maximum segment size option, value nnn (or * or %nnn)
# S - selective ACK OK
# T - timestamp
# T0 - timestamp with a zero value
#
# To denote no TCP options, use a single '.'.
#
# Please report any additions to this file, or any inaccuracies or
# problems spotted, to the maintainers: lcamtuf@coredump.cx,
# frantzen@openbsd.org and bugs@openbsd.org with a tcpdump packet
# capture of the relevant SYN packet(s)
#
# A test and submission page is available at
# http://lcamtuf.coredump.cx/p0f-help/
#
#
# WARNING WARNING WARNING
# -----------------------
#
# Do not add a system X as OS Y just because NMAP says so. It is often
# the case that X is a NAT firewall. While nmap is talking to the
# device itself, p0f is fingerprinting the guy behind the firewall
# instead.
#
# When in doubt, use common sense, don't add something that looks like
# a completely different system as Linux or FreeBSD or LinkSys router.
# Check DNS name, establish a connection to the remote host and look
# at SYN+ACK - does it look similar?
#
# Some users tweak their TCP/IP settings - enable or disable RFC1323
# functionality, enable or disable timestamps or selective ACK,
# disable PMTU discovery, change MTU and so on. Always compare a new rule
# to other fingerprints for this system, and verify the system isn't
# "customized" before adding it. It is OK to add signature variants
# caused by a commonly used software (personal firewalls, security
# packages, etc), but it makes no sense to try to add every single
# possible /proc/sys/net/ipv4 tweak on Linux or so.
#
# KEEP IN MIND: Some packet firewalls configured to normalize outgoing
# traffic (OpenBSD pf with "scrub" enabled, for example) will, well,
# normalize packets. Signatures will not correspond to the originating
# system (and probably not quite to the firewall either).
#
# NOTE: Try to keep this file in some reasonable order, from most to
# least likely systems. This will speed up operation. Also keep most
# generic and broad rules near the end.
#
##########################
# Standard OS signatures #
##########################
# ----------------- AIX ---------------------
# AIX is first because its signatures are close to NetBSD, MacOS X and
# Linux 2.0, but it uses a fairly rare MSSes, at least sometimes...
# This is a shoddy hack, though.
45046:64:0:44:M*: AIX:4.3::AIX 4.3
16384:64:0:44:M512: AIX:4.3:2-3:AIX 4.3.2 and earlier
16384:64:0:60:M512,N,W%2,N,N,T: AIX:4.3:3:AIX 4.3.3-5.2
16384:64:0:60:M512,N,W%2,N,N,T: AIX:5.1-5.2::AIX 4.3.3-5.2
32768:64:0:60:M512,N,W%2,N,N,T: AIX:4.3:3:AIX 4.3.3-5.2
32768:64:0:60:M512,N,W%2,N,N,T: AIX:5.1-5.2::AIX 4.3.3-5.2
65535:64:0:60:M512,N,W%2,N,N,T: AIX:4.3:3:AIX 4.3.3-5.2
65535:64:0:60:M512,N,W%2,N,N,T: AIX:5.1-5.2::AIX 4.3.3-5.2
65535:64:0:64:M*,N,W1,N,N,T,N,N,S: AIX:5.3:ML1:AIX 5.3 ML1
# ----------------- Linux -------------------
# S1:64:0:44:M*:A: Linux:1.2::Linux 1.2.x (XXX quirks support)
512:64:0:44:M*: Linux:2.0:3x:Linux 2.0.3x
16384:64:0:44:M*: Linux:2.0:3x:Linux 2.0.3x
# Endian snafu! Nelson says "ha-ha":
2:64:0:44:M*: Linux:2.0:3x:Linux 2.0.3x (MkLinux) on Mac
64:64:0:44:M*: Linux:2.0:3x:Linux 2.0.3x (MkLinux) on Mac
S4:64:1:60:M1360,S,T,N,W0: Linux:google::Linux (Google crawlbot)
S2:64:1:60:M*,S,T,N,W0: Linux:2.4::Linux 2.4 (big boy)
S3:64:1:60:M*,S,T,N,W0: Linux:2.4:18-21:Linux 2.4.18 and newer
S4:64:1:60:M*,S,T,N,W0: Linux:2.4::Linux 2.4/2.6
S4:64:1:60:M*,S,T,N,W0: Linux:2.6::Linux 2.4/2.6
S3:64:1:60:M*,S,T,N,W1: Linux:2.5::Linux 2.5 (sometimes 2.4)
S4:64:1:60:M*,S,T,N,W1: Linux:2.5-2.6::Linux 2.5/2.6
S3:64:1:60:M*,S,T,N,W2: Linux:2.5::Linux 2.5 (sometimes 2.4)
S4:64:1:60:M*,S,T,N,W2: Linux:2.5::Linux 2.5 (sometimes 2.4)
S20:64:1:60:M*,S,T,N,W0: Linux:2.2:20-25:Linux 2.2.20 and newer
S22:64:1:60:M*,S,T,N,W0: Linux:2.2::Linux 2.2
S11:64:1:60:M*,S,T,N,W0: Linux:2.2::Linux 2.2
# Popular cluster config scripts disable timestamps and
# selective ACK:
S4:64:1:48:M1460,N,W0: Linux:2.4:cluster:Linux 2.4 in cluster
# This needs to be investigated. On some systems, WSS
# is selected as a multiple of MTU instead of MSS. I got
# many submissions for this for many late versions of 2.4:
T4:64:1:60:M1412,S,T,N,W0: Linux:2.4::Linux 2.4 (late, uncommon)
# This happens only over loopback, but let's make folks happy:
32767:64:1:60:M16396,S,T,N,W0: Linux:2.4:lo0:Linux 2.4 (local)
S8:64:1:60:M3884,S,T,N,W0: Linux:2.2:lo0:Linux 2.2 (local)
# Opera visitors:
16384:64:1:60:M*,S,T,N,W0: Linux:2.2:Opera:Linux 2.2 (Opera?)
32767:64:1:60:M*,S,T,N,W0: Linux:2.4:Opera:Linux 2.4 (Opera?)
# Some fairly common mods:
S4:64:1:52:M*,N,N,S,N,W0: Linux:2.4:ts:Linux 2.4 w/o timestamps
S22:64:1:52:M*,N,N,S,N,W0: Linux:2.2:ts:Linux 2.2 w/o timestamps
# ----------------- FreeBSD -----------------
16384:64:1:44:M*: FreeBSD:2.0-2.2::FreeBSD 2.0-4.1
16384:64:1:44:M*: FreeBSD:3.0-3.5::FreeBSD 2.0-4.1
16384:64:1:44:M*: FreeBSD:4.0-4.1::FreeBSD 2.0-4.1
16384:64:1:60:M*,N,W0,N,N,T: FreeBSD:4.4::FreeBSD 4.4
1024:64:1:60:M*,N,W0,N,N,T: FreeBSD:4.4::FreeBSD 4.4
57344:64:1:44:M*: FreeBSD:4.6-4.8:noRFC1323:FreeBSD 4.6-4.8 (no RFC1323)
57344:64:1:60:M*,N,W0,N,N,T: FreeBSD:4.6-4.8::FreeBSD 4.6-4.8
32768:64:1:60:M*,N,W0,N,N,T: FreeBSD:4.8-4.9::FreeBSD 4.8-5.1 (or MacOS X)
32768:64:1:60:M*,N,W0,N,N,T: FreeBSD:5.0-5.1::FreeBSD 4.8-5.1 (or MacOS X)
65535:64:1:60:M*,N,W0,N,N,T: FreeBSD:4.8-4.9::FreeBSD 4.8-5.1 (or MacOS X)
65535:64:1:60:M*,N,W0,N,N,T: FreeBSD:5.0-5.1::FreeBSD 4.8-5.1 (or MacOS X)
65535:64:1:60:M*,N,W1,N,N,T: FreeBSD:4.7-4.9::FreeBSD 4.7-5.1
65535:64:1:60:M*,N,W1,N,N,T: FreeBSD:5.0-5.1::FreeBSD 4.7-5.1
# XXX need quirks support
# 65535:64:1:60:M*,N,W0,N,N,T:Z:FreeBSD:5.1-current (1)
# 65535:64:1:60:M*,N,W1,N,N,T:Z:FreeBSD:5.1-current (2)
# 65535:64:1:60:M*,N,W2,N,N,T:Z:FreeBSD:5.1-current (3)
# 16384:64:1:60:M*,N,N,N,N,N,N,T:FreeBSD:4.4:noTS:FreeBSD 4.4 (w/o timestamps)
# ----------------- NetBSD ------------------
16384:64:0:60:M*,N,W0,N,N,T: NetBSD:1.3::NetBSD 1.3
65535:64:0:60:M*,N,W0,N,N,T0: NetBSD:1.6:opera:NetBSD 1.6 (Opera)
16384:64:0:60:M*,N,W0,N,N,T0: NetBSD:1.6::NetBSD 1.6
16384:64:1:60:M*,N,W0,N,N,T0: NetBSD:1.6:df:NetBSD 1.6 (DF)
65535:64:1:60:M*,N,W1,N,N,T0: NetBSD:1.6::NetBSD 1.6W-current (DF)
65535:64:1:60:M*,N,W0,N,N,T0: NetBSD:1.6::NetBSD 1.6X (DF)
32768:64:1:60:M*,N,W0,N,N,T0: NetBSD:1.6:randomization:NetBSD 1.6ZH-current (w/ ip_id randomization)
# ----------------- OpenBSD -----------------
16384:64:0:60:M*,N,W0,N,N,T: OpenBSD:2.6::NetBSD 1.3 (or OpenBSD 2.6)
16384:64:1:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.0-3.5::OpenBSD 3.0-3.5
16384:64:0:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.0-3.5:no-df:OpenBSD 3.0-3.5 (scrub no-df)
57344:64:1:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.3-3.5::OpenBSD 3.3-3.5
57344:64:0:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.3-3.5:no-df:OpenBSD 3.3-3.5 (scrub no-df)
65535:64:1:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.0-3.5:opera:OpenBSD 3.0-3.5 (Opera)
# ----------------- Solaris -----------------
S17:64:1:64:N,W3,N,N,T0,N,N,S,M*: Solaris:8:RFC1323:Solaris 8 RFC1323
S17:64:1:48:N,N,S,M*: Solaris:8::Solaris 8
S17:255:1:44:M*: Solaris:2.5-2.7::Solaris 2.5 to 7
S6:255:1:44:M*: Solaris:2.6-2.7::Solaris 2.6 to 7
S23:255:1:44:M*: Solaris:2.5:1:Solaris 2.5.1
S34:64:1:48:M*,N,N,S: Solaris:2.9::Solaris 9
S44:255:1:44:M*: Solaris:2.7::Solaris 7
4096:64:0:44:M1460: SunOS:4.1::SunOS 4.1.x
S34:64:1:52:M*,N,W0,N,N,S: Solaris:10::Solaris 10 (beta)
# ----------------- IRIX --------------------
49152:64:0:44:M*: IRIX:6.4::IRIX 6.4
61440:64:0:44:M*: IRIX:6.2-6.5::IRIX 6.2-6.5
49152:64:0:52:M*,N,W2,N,N,S: IRIX:6.5:RFC1323:IRIX 6.5 (RFC1323)
49152:64:0:52:M*,N,W3,N,N,S: IRIX:6.5:RFC1323:IRIX 6.5 (RFC1323)
61440:64:0:48:M*,N,N,S: IRIX:6.5:12-21:IRIX 6.5.12 - 6.5.21
49152:64:0:48:M*,N,N,S: IRIX:6.5:15-21:IRIX 6.5.15 - 6.5.21
# ----------------- Tru64 -------------------
32768:64:1:48:M*,N,W0: Tru64:4.0::Tru64 4.0 (or OS/2 Warp 4)
32768:64:0:48:M*,N,W0: Tru64:5.0::Tru64 5.0
8192:64:0:44:M1460: Tru64:5.1:noRFC1323:Tru64 6.1 (no RFC1323) (or QNX 6)
61440:64:0:48:M*,N,W0: Tru64:5.1a:JP4:Tru64 v5.1a JP4 (or OpenVMS 7.x on Compaq 5.x stack)
# ----------------- OpenVMS -----------------
6144:64:1:60:M*,N,W0,N,N,T: OpenVMS:7.2::OpenVMS 7.2 (Multinet 4.4 stack)
# ----------------- MacOS -------------------
# XXX Need EOL tcp opt support
# S2:255:1:48:M*,W0,E:.:MacOS:8.6 classic
# XXX some of these use EOL too
16616:255:1:48:M*,W0: MacOS:7.3-7.6:OTTCP:MacOS 7.3-8.6 (OTTCP)
16616:255:1:48:M*,W0: MacOS:8.0-8.6:OTTCP:MacOS 7.3-8.6 (OTTCP)
16616:255:1:48:M*,N,N,N: MacOS:8.1-8.6:OTTCP:MacOS 8.1-8.6 (OTTCP)
32768:255:1:48:M*,W0,N: MacOS:9.0-9.2::MacOS 9.0-9.2
65535:255:1:48:M*,N,N,N,N: MacOS:9.1::MacOS 9.1 (OT 2.7.4)
# ----------------- Windows -----------------
# Windows TCP/IP stack is a mess. For most recent XP, 2000 and
# even 98, the pathlevel, not the actual OS version, is more
# relevant to the signature. They share the same code, so it would
# seem. Luckily for us, almost all Windows 9x boxes have an
# awkward MSS of 536, which I use to tell one from another
# in most difficult cases.
8192:32:1:44:M*: Windows:3.11::Windows 3.11 (Tucows)
S44:64:1:64:M*,N,W0,N,N,T0,N,N,S: Windows:95::Windows 95
8192:128:1:64:M*,N,W0,N,N,T0,N,N,S: Windows:95:b:Windows 95b
# There were so many tweaking tools and so many stack versions for
# Windows 98 it is no longer possible to tell them from each other
# without some very serious research. Until then, there's an insane
# number of signatures, for your amusement:
S44:32:1:48:M*,N,N,S: Windows:98:lowTTL:Windows 98 (low TTL)
8192:32:1:48:M*,N,N,S: Windows:98:lowTTL:Windows 98 (low TTL)
%8192:64:1:48:M536,N,N,S: Windows:98::Windows 98
%8192:128:1:48:M536,N,N,S: Windows:98::Windows 98
S4:64:1:48:M*,N,N,S: Windows:98::Windows 98
S6:64:1:48:M*,N,N,S: Windows:98::Windows 98
S12:64:1:48:M*,N,N,S: Windows:98::Windows 98
T30:64:1:64:M1460,N,W0,N,N,T0,N,N,S: Windows:98::Windows 98
32767:64:1:48:M*,N,N,S: Windows:98::Windows 98
37300:64:1:48:M*,N,N,S: Windows:98::Windows 98
46080:64:1:52:M*,N,W3,N,N,S: Windows:98:RFC1323:Windows 98 (RFC1323)
65535:64:1:44:M*: Windows:98:noSack:Windows 98 (no sack)
S16:128:1:48:M*,N,N,S: Windows:98::Windows 98
S16:128:1:64:M*,N,W0,N,N,T0,N,N,S: Windows:98::Windows 98
S26:128:1:48:M*,N,N,S: Windows:98::Windows 98
T30:128:1:48:M*,N,N,S: Windows:98::Windows 98
32767:128:1:52:M*,N,W0,N,N,S: Windows:98::Windows 98
60352:128:1:48:M*,N,N,S: Windows:98::Windows 98
60352:128:1:64:M*,N,W2,N,N,T0,N,N,S: Windows:98::Windows 98
# What's with 1414 on NT?
T31:128:1:44:M1414: Windows:NT:4.0:Windows NT 4.0 SP6a
64512:128:1:44:M1414: Windows:NT:4.0:Windows NT 4.0 SP6a
8192:128:1:44:M*: Windows:NT:4.0:Windows NT 4.0 (older)
# Windows XP and 2000. Most of the signatures that were
# either dubious or non-specific (no service pack data)
# were deleted and replaced with generics at the end.
65535:128:1:48:M*,N,N,S: Windows:2000:SP4:Windows 2000 SP4, XP SP1
65535:128:1:48:M*,N,N,S: Windows:XP:SP1:Windows 2000 SP4, XP SP1
%8192:128:1:48:M*,N,N,S: Windows:2000:SP2+:Windows 2000 SP2, XP SP1 (seldom 98 4.10.2222)
%8192:128:1:48:M*,N,N,S: Windows:XP:SP1:Windows 2000 SP2, XP SP1 (seldom 98 4.10.2222)
S20:128:1:48:M*,N,N,S: Windows:2000::Windows 2000/XP SP3
S20:128:1:48:M*,N,N,S: Windows:XP:SP3:Windows 2000/XP SP3
S45:128:1:48:M*,N,N,S: Windows:2000:SP4:Windows 2000 SP4, XP SP 1
S45:128:1:48:M*,N,N,S: Windows:XP:SP1:Windows 2000 SP4, XP SP 1
40320:128:1:48:M*,N,N,S: Windows:2000:SP4:Windows 2000 SP4
S6:128:1:48:M*,N,N,S: Windows:2000:SP2:Windows XP, 2000 SP2+
S6:128:1:48:M*,N,N,S: Windows:XP::Windows XP, 2000 SP2+
S12:128:1:48:M*,N,N,S: Windows:XP:SP1:Windows XP SP1
S44:128:1:48:M*,N,N,S: Windows:2000:SP3:Windows Pro SP1, 2000 SP3
S44:128:1:48:M*,N,N,S: Windows:XP:SP1:Windows Pro SP1, 2000 SP3
64512:128:1:48:M*,N,N,S: Windows:2000:SP3:Windows SP1, 2000 SP3
64512:128:1:48:M*,N,N,S: Windows:XP:SP1:Windows SP1, 2000 SP3
32767:128:1:48:M*,N,N,S: Windows:2000:SP4:Windows SP1, 2000 SP4
32767:128:1:48:M*,N,N,S: Windows:XP:SP1:Windows SP1, 2000 SP4
# Odds, ends, mods:
S52:128:1:48:M1260,N,N,S: Windows:2000:cisco:Windows XP/2000 via Cisco
S52:128:1:48:M1260,N,N,S: Windows:XP:cisco:Windows XP/2000 via Cisco
65520:128:1:48:M*,N,N,S: Windows:XP::Windows XP bare-bone
16384:128:1:52:M536,N,W0,N,N,S: Windows:2000:ZoneAlarm:Windows 2000 w/ZoneAlarm?
2048:255:0:40:.: Windows:.NET::Windows .NET Enterprise Server
# No need to be more specific, it passes:
# *:128:1:48:M*,N,N,S:U:-Windows:XP/2000 while downloading (leak!) XXX quirk
# there is an equiv similar generic sig w/o the quirk
# ----------------- HP/UX -------------------
32768:64:1:44:M*: HP-UX:B.10.20::HP-UX B.10.20
32768:64:0:48:M*,W0,N: HP-UX:11.0::HP-UX 11.0
32768:64:1:48:M*,W0,N: HP-UX:11.10::HP-UX 11.0 or 11.11
32768:64:1:48:M*,W0,N: HP-UX:11.11::HP-UX 11.0 or 11.11
# Whoa. Hardcore WSS.
0:64:0:48:M*,W0,N: HP-UX:B.11.00:A:HP-UX B.11.00 A (RFC1323)
# ----------------- RiscOS ------------------
# We don't yet support the ?12 TCP option
#16384:64:1:68:M1460,N,W0,N,N,T,N,N,?12: RISCOS:3.70-4.36::RISC OS 3.70-4.36
12288:32:0:44:M536: RISC OS:3.70:4.10:RISC OS 3.70 inet 4.10
# XXX quirk
# 4096:64:1:56:M1460,N,N,T:T: RISC OS:3.70:freenet:RISC OS 3.70 freenet 2.00
# ----------------- BSD/OS ------------------
# Once again, power of two WSS is also shared by MacOS X with DF set
8192:64:1:60:M1460,N,W0,N,N,T: BSD/OS:3.1::BSD/OS 3.1-4.3 (or MacOS X 10.2 w/DF)
8192:64:1:60:M1460,N,W0,N,N,T: BSD/OS:4.0-4.3::BSD/OS 3.1-4.3 (or MacOS X 10.2)
# ---------------- NewtonOS -----------------
4096:64:0:44:M1420: NewtonOS:2.1::NewtonOS 2.1
# ---------------- NeXTSTEP -----------------
S8:64:0:44:M512: NeXTSTEP:3.3::NeXTSTEP 3.3
# ------------------ BeOS -------------------
1024:255:0:48:M*,N,W0: BeOS:5.0-5.1::BeOS 5.0-5.1
12288:255:0:44:M1402: BeOS:5.0::BeOS 5.0.x
# ------------------ OS/400 -----------------
8192:64:1:60:M1440,N,W0,N,N,T: OS/400:VR4::OS/400 VR4/R5
8192:64:1:60:M1440,N,W0,N,N,T: OS/400:VR5::OS/400 VR4/R5
4096:64:1:60:M1440,N,W0,N,N,T: OS/400:V4R5:CF67032:OS/400 V4R5 + CF67032
# XXX quirk
# 28672:64:0:44:M1460:A:OS/390:?
# ------------------ ULTRIX -----------------
16384:64:0:40:.: ULTRIX:4.5::ULTRIX 4.5
# ------------------- QNX -------------------
S16:64:0:44:M512: QNX:::QNX demodisk
# ------------------ Novell -----------------
16384:128:1:44:M1460: Novell:NetWare:5.0:Novel Netware 5.0
6144:128:1:44:M1460: Novell:IntranetWare:4.11:Novell IntranetWare 4.11
6144:128:1:44:M1368: Novell:BorderManager::Novell BorderManager ?
6144:128:1:52:M*,W0,N,S,N,N: Novell:Netware:6:Novell Netware 6 SP3
# ----------------- SCO ------------------
S3:64:1:60:M1460,N,W0,N,N,T: SCO:UnixWare:7.1:SCO UnixWare 7.1
S23:64:1:44:M1380: SCO:OpenServer:5.0:SCO OpenServer 5.0
# ------------------- DOS -------------------
2048:255:0:44:M536: DOS:WATTCP:1.05:DOS Arachne via WATTCP/1.05
# ------------------ OS/2 -------------------
S56:64:0:44:M512: OS/2:4::OS/2 4
# ----------------- TOPS-20 -----------------
# Another hardcore MSS, one of the ACK leakers hunted down.
# XXX QUIRK 0:64:0:44:M1460:A:TOPS-20:version 7
0:64:0:44:M1460: TOPS-20:7::TOPS-20 version 7
# ------------------ AMIGA ------------------
# XXX TCP option 12
# S32:64:1:56:M*,N,N,S,N,N,?12:.:AMIGA:3.9 BB2 with Miami stack
# ------------------ Plan9 ------------------
65535:255:0:48:M1460,W0,N: Plan9:4::Plan9 edition 4
# ----------------- AMIGAOS -----------------
16384:64:1:48:M1560,N,N,S: AMIGAOS:3.9::AMIGAOS 3.9 BB2 MiamiDX
###########################################
# Appliance / embedded / other signatures #
###########################################
# ---------- Firewalls / routers ------------
S12:64:1:44:M1460: @Checkpoint:::Checkpoint (unknown 1)
S12:64:1:48:N,N,S,M1460: @Checkpoint:::Checkpoint (unknown 2)
4096:32:0:44:M1460: ExtremeWare:4.x::ExtremeWare 4.x
60352:64:0:52:M1460,N,W2,N,N,S: Clavister:7::Clavister firewall 7.x
# XXX TCP option 12
# S32:64:0:68:M512,N,W0,N,N,T,N,N,?12:.:Nokia:IPSO w/Checkpoint NG FP3
# S16:64:0:68:M1024,N,W0,N,N,T,N,N,?12:.:Nokia:IPSO 3.7 build 026
S4:64:1:60:W0,N,S,T,M1460: FortiNet:FortiGate:50:FortiNet FortiGate 50
8192:64:1:44:M1460: Eagle:::Eagle Secure Gateway
# ------- Switches and other stuff ----------
4128:255:0:44:M*: Cisco:::Cisco Catalyst 3500, 7500 etc
S8:255:0:44:M*: Cisco:12008::Cisco 12008
60352:128:1:64:M1460,N,W2,N,N,T,N,N,S: Alteon:ACEswitch::Alteon ACEswitch
64512:128:1:44:M1370: Nortel:Contivity Client::Nortel Conectivity Client
# ---------- Caches and whatnots ------------
S4:64:1:52:M1460,N,N,S,N,W0: AOL:web cache::AOL web cache
32850:64:1:64:N,W1,N,N,T,N,N,S,M*: NetApp:5.x::NetApp Data OnTap 5.x
16384:64:1:64:M1460,N,N,S,N,W0,N: NetApp:5.3:1:NetApp 5.3.1
65535:64:0:64:M1460,N,N,S,N,W*,N,N,T: NetApp:5.3-5.5::NetApp 5.3-5.5
65535:64:0:60:M1460,N,W0,N,N,T: NetApp:CacheFlow::NetApp CacheFlow
8192:64:1:64:M1460,N,N,S,N,W0,N,N,T: NetApp:5.2:1:NetApp NetCache 5.2.1
20480:64:1:64:M1460,N,N,S,N,W0,N,N,T: NetApp:4.1::NetApp NetCache4.1
65535:64:0:60:M1460,N,W0,N,N,T: CacheFlow:4.1::CacheFlow CacheOS 4.1
8192:64:0:60:M1380,N,N,N,N,N,N,T: CacheFlow:1.1::CacheFlow CacheOS 1.1
S4:64:0:48:M1460,N,N,S: Cisco:Content Engine::Cisco Content Engine
27085:128:0:40:.: Dell:PowerApp cache::Dell PowerApp (Linux-based)
65535:255:1:48:N,W1,M1460: Inktomi:crawler::Inktomi crawler
S1:255:1:60:M1460,S,T,N,W0: LookSmart:ZyBorg::LookSmart ZyBorg
16384:255:0:40:.: Proxyblocker:::Proxyblocker (what's this?)
# ----------- Embedded systems --------------
S9:255:0:44:M536: PalmOS:Tungsten:C:PalmOS Tungsten C
S5:255:0:44:M536: PalmOS:3::PalmOS 3/4
S5:255:0:44:M536: PalmOS:4::PalmOS 3/4
S4:255:0:44:M536: PalmOS:3:5:PalmOS 3.5
2948:255:0:44:M536: PalmOS:3:5:PalmOS 3.5.3 (Handera)
S29:255:0:44:M536: PalmOS:5::PalmOS 5.0
S23:64:1:64:N,W1,N,N,T,N,N,S,M1460: SymbianOS:7::SymbianOS 7
8192:255:0:44:M1460: SymbianOS:6048::SymbianOS 6048 (on Nokia 7650?)
8192:255:0:44:M536: SymbianOS:::SymbianOS (on Nokia 9210?)
# Perhaps S4?
5840:64:1:60:M1452,S,T,N,W1: Zaurus:3.10::Zaurus 3.10
32768:128:1:64:M1460,N,W0,N,N,T0,N,N,S: PocketPC:2002::PocketPC 2002
S1:255:0:44:M346: Contiki:1.1:rc0:Contiki 1.1-rc0
4096:128:0:44:M1460: Sega:Dreamcast:3.0:Sega Dreamcast Dreamkey 3.0
T5:64:0:44:M536: Sega:Dreamcast:HKT-3020:Sega Dreamcast HKT-3020 (browser disc 51027)
S22:64:1:44:M1460: Sony:PS2::Sony Playstation 2 (SOCOM?)
S12:64:0:44:M1452: AXIS:5600:v5.64:AXIS Printer Server 5600 v5.64
####################
# Fancy signatures #
####################
1024:64:0:40:.: *NMAP:syn scan:1:NMAP syn scan (1)
2048:64:0:40:.: *NMAP:syn scan:2:NMAP syn scan (2)
3072:64:0:40:.: *NMAP:syn scan:3:NMAP syn scan (3)
4096:64:0:40:.: *NMAP:syn scan:4:NMAP syn scan (4)
1024:64:0:60:W10,N,M265,T: *NMAP:OS:1:NMAP OS detection probe (1)
2048:64:0:60:W10,N,M265,T: *NMAP:OS:2:NMAP OS detection probe (2)
3072:64:0:60:W10,N,M265,T: *NMAP:OS:3:NMAP OS detection probe (3)
4096:64:0:60:W10,N,M265,T: *NMAP:OS:4:NMAP OS detection probe (4)
#####################################
# Generic signatures - just in case #
#####################################
#*:64:1:60:M*,N,W*,N,N,T: @FreeBSD:4.0-4.9::FreeBSD 4.x/5.x
#*:64:1:60:M*,N,W*,N,N,T: @FreeBSD:5.0-5.1::FreeBSD 4.x/5.x
*:128:1:52:M*,N,W0,N,N,S: @Windows:XP:RFC1323:Windows XP/2000 (RFC1323 no tstamp)
*:128:1:52:M*,N,W0,N,N,S: @Windows:2000:RFC1323:Windows XP/2000 (RFC1323 no tstamp)
*:128:1:64:M*,N,W0,N,N,T0,N,N,S: @Windows:XP:RFC1323:Windows XP/2000 (RFC1323)
*:128:1:64:M*,N,W0,N,N,T0,N,N,S: @Windows:2000:RFC1323:Windows XP/2000 (RFC1323)
*:128:1:64:M*,N,W*,N,N,T0,N,N,S: @Windows:XP:RFC1323:Windows XP (RFC1323, w+)
*:128:1:48:M536,N,N,S: @Windows:98::Windows 98
*:128:1:48:M*,N,N,S: @Windows:XP::Windows XP/2000
*:128:1:48:M*,N,N,S: @Windows:2000::Windows XP/2000

86
dist/pf/etc/spamd.conf vendored Normal file
View File

@ -0,0 +1,86 @@
# $OpenBSD: spamd.conf,v 1.9 2004/01/21 08:07:39 deraadt Exp $
#
# spamd config file, read by spamd-setup(8) for spamd(8)
#
# See spamd.conf(5)
#
# Configures whitelists and blacklists for spamd
#
# Strings follow getcap(3) convention escapes, other than you
# can have a bare colon (:) inside a quoted string and it
# will deal with it. See spamd-setup(8) for more details.
#
# "all" must be here, and defines the order in which lists are applied
# whitelists apply to the previous blacklist. more than one whitelist
# may be applied to each blacklist
#
# As of Aug 2003, a place to search for black lists is
# http://spamlinks.port5.com/filter-bl.htm#ip
#
# Some of the URLs below point to www.openbsd.org locations. Those
# files are likely to be mirrored to other OpenBSD www mirrors located
# around the world. Hence, it is possible to edit this file and rewrite
# www.openbsd.org with, for instance, to www.de.openbsd.org
all:\
:spamhaus:china:korea:
# Mirrored from http://spfilter.openrbl.org/data/sbl/SBL.cidr.bz2
spamhaus:\
:black:\
:msg="SPAM. Your address %A is in the Spamhaus Block List\n\
See http://www.spamhaus.org/sbl and\
http://www.abuse.net/sbl.phtml?IP=%A for more details":\
:method=http:\
:file=www.openbsd.org/spamd/SBL.cidr.gz
# Mirrored from http://www.spews.org/spews_list_level1.txt
spews1:\
:black:\
:msg="SPAM. Your address %A is in the spews level 1 database\n\
See http://www.spews.org/ask.cgi?x=%A for more details":\
:method=http:\
:file=www.openbsd.org/spamd/spews_list_level1.txt.gz
# Mirrored from http://www.spews.org/spews_list_level2.txt
spews2:\
:black:\
:msg="SPAM. Your address %A is in the spews level 2 database\n\
See http://www.spews.org/ask.cgi?x=%A for more details":\
:method=http:\
:file=www.openbsd.org/spamd/spews_list_level2.txt.gz
# Mirrored from http://www.okean.com/chinacidr.txt
china:\
:black:\
:msg="SPAM. Your address %A appears to be from China\n\
See http://www.okean.com/asianspamblocks.html for more details":\
:method=http:\
:file=www.openbsd.org/spamd/chinacidr.txt.gz
# Mirrored from http://www.okean.com/koreacidr.txt
korea:\
:black:\
:msg="SPAM. Your address %A appears to be from Korea\n\
See http://www.okean.com/asianspamblocks.html for more details":\
:method=http:\
:file=www.openbsd.org/spamd/koreacidr.txt.gz
# Whitelists are done like this, and must be added to "all" after each
# blacklist from which you want the addresses in the whitelist removed.
#
#whitelist:\
# :white:\
# :file=/var/mail/whitelist.txt
relaydb-black:\
:black:\
:msg="SPAM. Your address %A is in my relaydb list.":\
:method=exec:\
:file=relaydb -4lb:
relaydb-white:\
:white:\
:method=exec:\
:file=relaydb -4lw:

11
dist/pf/sbin/pfctl/Makefile vendored
View File

@ -1,8 +1,9 @@
# $OpenBSD: Makefile,v 1.15 2004/03/10 18:49:49 mcbride Exp $
# $OpenBSD: Makefile,v 1.17 2004/07/16 23:44:24 frantzen Exp $
PROG= pfctl
SRCS= pfctl.c parse.y pfctl_parser.c pf_print_state.c pfctl_altq.c
SRCS+= pfctl_osfp.c pfctl_radix.c pfctl_table.c pfctl_qstats.c
SRCS+= pfctl_optimize.c
CFLAGS+= -Wall -Wmissing-prototypes -Wno-uninitialized
CFLAGS+= -Wstrict-prototypes -I${.CURDIR}
YFLAGS=
@ -12,3 +13,11 @@ LDADD+= -lm
DPADD+= ${LIBM}
.include <bsd.prog.mk>
# XXX
.if (${MACHINE_ARCH} == "m88k")
parse.o: parse.y
${YACC.y} ${.IMPSRC}
${COMPILE.c} -fno-schedule-insns2 -o ${.TARGET} y.tab.c
rm -f y.tab.c
.endif

1557
dist/pf/sbin/pfctl/pfctl_optimize.c vendored Normal file
View File

File diff suppressed because it is too large Load Diff

18
dist/pf/sbin/pflogd/pflogd.c vendored
View File

@ -1,4 +1,4 @@
/* $OpenBSD: pflogd.c,v 1.27 2004/02/13 19:01:57 otto Exp $ */
/* $OpenBSD: pflogd.c,v 1.30 2004/08/08 19:04:25 deraadt Exp $ */
/*
* Copyright (c) 2001 Theo de Raadt
@ -255,16 +255,19 @@ reset_dump(void)
fp = fdopen(fd, "a+");
if (fp == NULL) {
close(fd);
logmsg(LOG_ERR, "Error: %s: %s", filename, strerror(errno));
return (1);
}
if (fstat(fileno(fp), &st) == -1) {
fclose(fp);
logmsg(LOG_ERR, "Error: %s: %s", filename, strerror(errno));
return (1);
}
/* set FILE unbuffered, we do our own buffering */
if (setvbuf(fp, NULL, _IONBF, 0)) {
fclose(fp);
logmsg(LOG_ERR, "Failed to set output buffers");
return (1);
}
@ -275,6 +278,7 @@ reset_dump(void)
if (snaplen != cur_snaplen) {
logmsg(LOG_NOTICE, "Using snaplen %d", snaplen);
if (set_snaplen(snaplen)) {
fclose(fp);
logmsg(LOG_WARNING,
"Failed, using old settings");
}
@ -485,7 +489,7 @@ dump_packet(u_char *user, const struct pcap_pkthdr *h, const u_char *sp)
return;
}
append:
append:
memcpy(bufpos, h, sizeof(*h));
memcpy(bufpos + sizeof(*h), sp, h->caplen);
@ -502,6 +506,7 @@ main(int argc, char **argv)
struct pcap_stat pstat;
int ch, np, Xflag = 0;
pcap_handler phandler = dump_packet;
const char *errstr = NULL;
closefrom(STDERR_FILENO + 1);
@ -511,18 +516,19 @@ main(int argc, char **argv)
Debug = 1;
break;
case 'd':
delay = atoi(optarg);
if (delay < 5 || delay > 60*60)
delay = strtonum(optarg, 5, 60*60, &errstr);
if (errstr)
usage();
break;
case 'f':
filename = optarg;
break;
case 's':
snaplen = atoi(optarg);
snaplen = strtonum(optarg, 0, PFLOGD_MAXSNAPLEN,
&errstr);
if (snaplen <= 0)
snaplen = DEF_SNAPLEN;
if (snaplen > PFLOGD_MAXSNAPLEN)
if (errstr)
snaplen = PFLOGD_MAXSNAPLEN;
break;
case 'x':

14
dist/pf/sbin/pflogd/privsep.c vendored
View File

@ -1,4 +1,4 @@
/* $OpenBSD: privsep.c,v 1.8 2004/03/14 19:17:05 otto Exp $ */
/* $OpenBSD: privsep.c,v 1.12 2004/07/14 19:07:03 henning Exp $ */
/*
* Copyright (c) 2003 Can Erkin Acar
@ -67,7 +67,7 @@ int
priv_init(void)
{
int i, fd, socks[2], cmd;
int snaplen, ret;
int snaplen, ret, olderrno;
struct passwd *pw;
for (i = 1; i < _NSIG; i++)
@ -147,12 +147,14 @@ priv_init(void)
fd = open(filename,
O_RDWR|O_CREAT|O_APPEND|O_NONBLOCK|O_NOFOLLOW,
0600);
olderrno = errno;
send_fd(socks[0], fd);
if (fd < 0)
logmsg(LOG_NOTICE,
"[priv]: failed to open %s: %s",
filename, strerror(errno));
send_fd(socks[0], fd);
close(fd);
filename, strerror(olderrno));
else
close(fd);
break;
default:
@ -211,7 +213,7 @@ priv_open_log(void)
int cmd, fd;
if (priv_fd < 0)
errx(1, "%s: called from privileged portion\n", __func__);
errx(1, "%s: called from privileged portion", __func__);
cmd = PRIV_OPEN_LOG;
must_write(priv_fd, &cmd, sizeof(int));

6
dist/pf/sbin/pflogd/privsep_fdpass.c vendored
View File

@ -1,4 +1,4 @@
/* $OpenBSD: privsep_fdpass.c,v 1.1 2003/10/22 18:51:55 canacar Exp $ */
/* $OpenBSD: privsep_fdpass.c,v 1.2 2004/08/13 02:51:48 djm Exp $ */
/*
* Copyright 2001 Niels Provos <provos@citi.umich.edu>
@ -108,6 +108,10 @@ receive_fd(int sock)
__func__, (long)n);
if (result == 0) {
cmsg = CMSG_FIRSTHDR(&msg);
if (cmsg == NULL) {
warnx("%s: no message header", __func__);
return -1;
}
if (cmsg->cmsg_type != SCM_RIGHTS)
warnx("%s: expected type %d got %d", __func__,
SCM_RIGHTS, cmsg->cmsg_type);

1099
dist/pf/share/man/man4/pf.4 vendored Normal file
View File

File diff suppressed because it is too large Load Diff

89
dist/pf/share/man/man4/pflog.4 vendored Normal file
View File

@ -0,0 +1,89 @@
.\" $OpenBSD: pflog.4,v 1.7 2004/03/21 19:47:59 miod Exp $
.\"
.\" Copyright (c) 2001 Tobias Weingartner
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd December 10, 2001
.Dt PFLOG 4
.Os
.Sh NAME
.Nm pflog
.Nd packet filter logging interface
.Sh SYNOPSIS
.Cd "pseudo-device pflog"
.Sh DESCRIPTION
The
.Nm pflog
interface is a pseudo-device which makes visible all packets logged by
the packet filter,
.Xr pf 4 .
Logged packets can easily be monitored in real
time by invoking
.Xr tcpdump 8
on the
.Nm
interface, or stored to disk using
.Xr pflogd 8 .
.Pp
Each packet retrieved on this interface has a header associated
with it of length
.Dv PFLOG_HDRLEN .
This header documents the address family, interface name, rule
number, reason, action, and direction of the packet that was logged.
This structure, defined in
.Aq Pa net/if_pflog.h
looks like
.Bd -literal -offset indent
struct pfloghdr {
u_int8_t length;
sa_family_t af;
u_int8_t action;
u_int8_t reason;
char ifname[IFNAMSIZ];
char ruleset[PF_RULESET_NAME_SIZE];
u_int32_t rulenr;
u_int32_t subrulenr;
u_int8_t dir;
u_int8_t pad[3];
};
.Ed
.Sh EXAMPLES
.Bd -literal -offset indent
# ifconfig pflog0 up
# tcpdump -n -e -ttt -i pflog0
.Ed
.Sh SEE ALSO
.Xr inet 4 ,
.Xr inet6 4 ,
.Xr netintro 4 ,
.Xr pf 4 ,
.Xr ifconfig 8 ,
.Xr pflogd 8 ,
.Xr tcpdump 8
.Sh HISTORY
The
.Nm
device first appeared in
.Ox 3.0 .
.\" .Sh BUGS
.\" Anything here?

2729
dist/pf/share/man/man5/pf.conf.5 vendored Normal file
View File

File diff suppressed because it is too large Load Diff

242
dist/pf/share/man/man5/pf.os.5 vendored Normal file
View File

@ -0,0 +1,242 @@
.\" $OpenBSD: pf.os.5,v 1.6 2004/03/31 11:13:03 dhartmei Exp $
.\"
.\" Copyright (c) 2003 Mike Frantzen <frantzen@w4g.org>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.Dd August 18, 2003
.Dt PF.OS 5
.Os
.Sh NAME
.Nm pf.os
.Nd format of the operating system fingerprints file
.Sh DESCRIPTION
The
.Xr pf 4
firewall and the
.Xr tcpdump 8
program can both fingerprint the operating system of hosts that
originate an IPv4 TCP connection.
The file consists of newline-separated records, one per fingerprint,
containing nine colon
.Pq Ql \&:
separated fields.
These fields are as follows:
.Pp
.Bl -tag -width Description -offset indent -compact
.It window
The TCP window size.
.It TTL
The IP time to live.
.It df
The presence of the IPv4 don't fragment bit.
.It packet size
The size of the initial TCP packet.
.It TCP options
An ordered list of the TCP options.
.It class
The class of operating system.
.It version
The version of the operating system.
.It subtype
The subtype of patchlevel of the operating system.
.It description
The overall textual description of the operating system, version and subtype.
.El
.Pp
The
.Ar window
field corresponds to the th->th_win field in the TCP header and is the
source host's advertised TCP window size.
It may be between zero and 65,535 inclusive.
The window size may be given as a multiple of a constant by prepending
the size with a percent sign
.Sq %
and the value will be used as a modulus.
Three special values may be used for the window size:
.Pp
.Bl -tag -width xxx -offset indent -compact
.It *
An asterisk will wildcard the value so any window size will match.
.It S
Allow any window size which is a multiple of the maximum segment size (MSS).
.It T
Allow any window size which is a multiple of the maximum transmission unit
(MTU).
.El
.Pp
The
.Ar ttl
value is the initial time to live in the IP header.
The fingerprint code will account for the volatility of the packet's TTL
as it traverses a network.
.Pp
The
.Ar df
bit corresponds to the Don't Fragment bit in an IPv4 header.
It tells intermediate routers not to fragment the packet and is used for
path MTU discovery.
It may be either a zero or a one.
.Pp
The
.Ar packet size
is the literal size of the full IP packet and is a function of all of
the IP and TCP options.
.Pp
The
.Ar TCP options
field is an ordered list of the individual TCP options that appear in the
SYN packet.
Each option is described by a single character separated by a comma and
certain ones may include a value.
The options are:
.Pp
.Bl -tag -width Description -offset indent -compact
.It Mnnn
maximum segment size (MSS) option.
The value is the maximum packet size of the network link which may
include the
.Sq %
modulus or match all MSSes with the
.Sq *
value.
.It N
the NOP option (NO Operation).
.It T[0]
the timestamp option.
Certain operating systems always start with a zero timestamp in which
case a zero value is added to the option; otherwise no value is appended.
.It S
the Selective ACKnowledgement OK (SACKOK) option.
.It Wnnn
window scaling option.
The value is the size of the window scaling which may include the
.Sq %
modulus or match all window scalings with the
.Sq *
value.
.El
.Pp
No TCP options in the fingerprint may be given with a single dot
.Sq \&. .
.Pp
An example of OpenBSD's TCP options are:
.Pp
.Dl M*,N,N,S,N,W0,N,N,T
.Pp
The first option
.Ar M*
is the MSS option and will match all values.
The second and third options
.Ar N
will match two NOPs.
The fourth option
.Ar S
will match the SACKOK option.
The fifth
.Ar N
will match another NOP.
The sixth
.Ar W0
will match a window scaling option with a zero scaling size.
The seventh and eighth
.Ar N
options will match two NOPs.
And the ninth and final option
.Ar T
will match the timestamp option with any time value.
.Pp
The TCP options in a fingerprint will only match packets with the
exact same TCP options in the same order.
.Pp
The
.Ar class
field is the class, genre or vendor of the operating system.
.Pp
The
.Ar version
is the version of the operating system.
It is used to distinguish between different fingerprints of operating
systems of the same class but different versions.
.Pp
The
.Ar subtype
is the subtype or patch level of the operating system version.
It is used to distinguish between different fingerprints of operating
systems of the same class and same version but slightly different
patches or tweaking.
.Pp
The
.Ar description
is a general description of the operating system, its version,
patchlevel and any further useful details.
.Sh EXAMPLES
The fingerprint of a plain
.Ox 3.3
host is:
.Bd -literal
16384:64:1:64:M*,N,N,S,N,W0,N,N,T:OpenBSD:3.3::OpenBSD 3.3
.Ed
.Pp
The fingerprint of an
.Ox 3.3
host behind a PF scrubbing firewall with a no-df rule would be:
.Bd -literal
16384:64:0:64:M*,N,N,S,N,W0,N,N,T:OpenBSD:3.3:!df:OpenBSD 3.3 scrub no-df
.Ed
.Pp
An absolutely braindead embedded operating system fingerprint could be:
.Bd -literal
65535:255:0:40:.:DUMMY:1.1:p3:Dummy embedded OS v1.1p3
.Ed
.Pp
The
.Xr tcpdump 8
output of
.Bd -literal
# tcpdump -s128 -c1 -nv 'tcp[13] == 2'
03:13:48.118526 10.0.0.1.3377 > 10.0.0.0.2: S [tcp sum ok] \e
534596083:534596083(0) win 57344 <mss 1460> (DF) [tos 0x10] \e
(ttl 64, id 11315)
.Ed
.Pp
almost translates into the following fingerprint
.Bd -literal
57344:64:1:44:M1460: exampleOS:1.0::exampleOS 1.0
.Ed
.Pp
.Xr tcpdump 8
does not explicitly give the packet length.
But it can usually be derived by adding the size of the IPv4 header to
the size of the TCP header to the size of the TCP options.
The size of both headers is typically twenty each and the usual
sizes of the TCP options are:
.Pp
.Bl -tag -width timestamp -offset indent -compact
.It mss
four bytes.
.It nop
1 byte.
.It sackOK
two bytes.
.It timestamp
ten bytes.
.It wscale
three bytes.
.El
.Pp
In the above example, the packet size comes out to 44 bytes.
.Sh SEE ALSO
.Xr pf 4 ,
.Xr pf.conf 5 ,
.Xr pfctl 8 ,
.Xr tcpdump 8

190
dist/pf/share/man/man5/spamd.conf.5 vendored Normal file
View File

@ -0,0 +1,190 @@
.\" $OpenBSD: spamd.conf.5,v 1.12 2004/01/29 17:44:29 jmc Exp $
.\"
.\" Copyright (c) 2003 Jason L. Wright (jason@thought.net)
.\" Copyright (c) 2003 Bob Beck
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
.\" WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
.\" DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
.\" INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
.\" (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
.\" SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd March 8, 2003
.Dt SPAMD.CONF 5
.Os
.Sh NAME
.Nm spamd.conf
.Nd configuration file read by
.Xr spamd-setup 8
for
.Xr spamd 8
.Sh SYNOPSIS
.Nm spamd.conf
.Sh DESCRIPTION
The
.Nm
file is read by
.Xr spamd-setup 8
to configure blacklists and whitelists with corresponding
.Xr pf 4
table entries for
.Xr spamd 8 .
.Nm
follows the syntax of configuration databases as documented in
.Xr getcap 3 .
Example:
.Bd -literal -offset indent
all:\e
:spews1:white:myblack:
spews1:\e
:black:\e
:msg="SPAM. Your address \&%A is in the spews\e
level 1 database\ensee http://www.spews.org/ask.cgi?x=\&%A\en":\e
:method=http:\e
:file=www.spews.org/spews_list_level1.txt:
white:\e
:white:\e
:method=file:\e
:file=/var/mail/mywhite.txt:
myblack:\e
:black:\e
:msg=/var/mail/myblackmsg.txt:\e
:method=file:\e
:file=/var/mail/myblack.txt:
.Ed
.Pp
The default configuration file must include the entry
.Ar all
which specifies the order in which named blacklists and whitelists
are to be applied.
The addresses in a whitelist are removed from the preceding blacklist.
In the above example, if the address was present in all three lists, blacklists
.Ar spews1
and
.Ar myblack ,
as well as whitelist
.Ar white ,
the address would be removed from blacklist
.Ar spews1
by the subsequent
.Ar white
whitelist.
However, the address would not be removed from the
.Ar myblack
blacklist.
To remove all the addresses in
.Ar white
from
.Ar myblack ,
the configuration
.Bd -literal -offset indent
all:\e
:spews1:white:myblack:white:
.Ed
.Pp
would be used instead.
.Pp
Blacklists and whitelists are then constructed by name;
blacklists are identified by the capability
.Ar black ,
and whitelists by the capability
.Ar white .
.Pp
The source of the addresses for blacklists and whitelists is
specified using the
.Ar method
and
.Ar file
capability entries.
.Pp
.Ar method
specifies the method by which to retrieve a file containing a list of
addresses that consist of the blacklist or whitelist, and may be
.Ar http ,
.Ar ftp ,
.Ar file
or
.Ar exec .
The methods
.Ar http ,
.Ar ftp
and
.Ar file
capabilities will make
.Nm
retrieve a list of addresses specified in the location in the
.Ar file
capability for the list.
The
.Ar exec
capability will make
.Nm
spawn the program with arguments indicated in the
.Ar file
capability for the list, and reads a list of addresses
from the output of the program.
.Pp
The format of the list of addresses is expected to consist of one
network block or address per line (optionally followed by a space and
text that is ignored).
Comment lines beginning with
.Ar #
are ignored.
Network blocks may be specified in any of the formats as in
the following example:
.Bd -literal -offset indent
# CIDR format
192.168.20.0/24
# A start - end range
192.168.21.0 - 192.168.21.255
# As a single IP address
192.168.23.1
.Ed
.Pp
Each blacklist must include a message, specified in the
.Ar msg
capability as a string.
If the
.Ar msg
string is enclosed in double quotes, the characters in the quoted string
are escaped as specified in
.Xr getcap 3
with the exception that a colon (:) is allowed in the quoted string.
The resulting string is used as the message.
Alternatively, if the
.Ar msg
string is not specified in quotes, it is assumed to be a local filename
from which the message text may be read.
.Pp
The message is configured in
.Xr spamd 8
to be displayed in the SMTP dialogue to any connections that match
addresses in the blacklist.
The sequence \e" in the message will produce a double quote in the output.
The sequence %% will produce a single % in the output,
and the sequence \&%A will be expanded in the message by
.Xr spamd 8
to display the connecting IP address in the output.
.Sh SEE ALSO
.Xr ftp 1 ,
.Xr pf 4 ,
.Xr spamd 8 ,
.Xr spamd-setup 8

13
dist/pf/share/pf/Makefile vendored Normal file
View File

@ -0,0 +1,13 @@
#
# $OpenBSD: Makefile,v 1.6 2003/08/22 15:25:50 henning Exp $
#
FILES= queue1 queue2 queue3 ackpri faq-example1 faq-example2 faq-example3
FILES+= spamd
NOOBJ= noobj
all clean cleandir depend lint tags:
install:
install -c -m 0444 ${FILES} ${DESTDIR}${BINDIR}/pf/
.include <bsd.prog.mk>

32
dist/pf/share/pf/ackpri vendored Normal file
View File

@ -0,0 +1,32 @@
# $OpenBSD: ackpri,v 1.2 2003/03/10 14:24:33 henning Exp $
# Use a simple priority queue to prioritize empty (no payload) TCP ACKs,
# which dramatically improves throughput on (asymmetric) links when the
# reverse direction is saturated. The empty ACKs use an insignificant
# part of the bandwidth, but if they get delayed, downloads suffer
# badly, so prioritize them.
# Example: 512/128 kbps ADSL. Download is 50 kB/s. When a concurrent
# upload saturates the uplink, download drops to 7 kB/s. With the
# priority queue below, download drops only to 48 kB/s.
# Replace lo0 with your real external interface
ext_if="lo0"
# For a 512/128 kbps ADSL with PPPoE link, using "bandwidth 100Kb"
# is optimal. Some experimentation might be needed to find the best
# value. If it's set too high, the priority queue is not effective, and
# if it's set too low, the available bandwidth is not fully used.
# A good starting point would be real_uplink_bandwidth * 90 / 100.
altq on $ext_if priq bandwidth 100Kb queue { q_pri, q_def }
queue q_pri priority 7
queue q_def priority 1 priq(default)
pass out on $ext_if proto tcp from $ext_if to any flags S/SA \
keep state queue (q_def, q_pri)
pass in on $ext_if proto tcp from any to $ext_if flags S/SA \
keep state queue (q_def, q_pri)

47
dist/pf/share/pf/faq-example1 vendored Normal file
View File

@ -0,0 +1,47 @@
# $OpenBSD: faq-example1,v 1.2 2003/08/06 16:04:45 henning Exp $
#
# Firewall for Home or Small Office
# http://www.openbsd.org/faq/pf/example1.html
#
# macros
int_if = "fxp0"
ext_if = "ep0"
tcp_services = "{ 22, 113 }"
icmp_types = "echoreq"
priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
# options
set block-policy return
set loginterface $ext_if
# scrub
scrub in all
# nat/rdr
nat on $ext_if from $int_if:network to any -> ($ext_if)
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 \
port 8021
# filter rules
block all
pass quick on lo0 all
block drop in quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets
pass in on $ext_if inet proto tcp from any to ($ext_if) \
port $tcp_services flags S/SA keep state
pass in inet proto icmp all icmp-type $icmp_types keep state
pass in on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state

88
dist/pf/share/pf/faq-example2 vendored Normal file
View File

@ -0,0 +1,88 @@
# $OpenBSD: faq-example2,v 1.2 2003/08/06 16:04:45 henning Exp $
#
# Small, Home Network
# http://www.openbsd.org/faq/pf/queueing.html#example1
#
# enable queueing on the external interface to control traffic going to
# the Internet. use the priq scheduler to control only priorities. set
# the bandwidth to 610Kbps to get the best performance out of the TCP
# ACK queue.
altq on fxp0 priq bandwidth 610Kb queue { std_out, ssh_im_out, dns_out, \
tcp_ack_out }
# define the parameters for the child queues.
# std_out - the standard queue. any filter rule below that does not
# explicitly specify a queue will have its traffic added
# to this queue.
# ssh_im_out - interactive SSH and various instant message traffic.
# dns_out - DNS queries.
# tcp_ack_out - TCP ACK packets with no data payload.
queue std_out priq(default)
queue ssh_im_out priority 4 priq(red)
queue dns_out priority 5
queue tcp_ack_out priority 6
# enable queueing on the internal interface to control traffic coming in
# from the Internet. use the cbq scheduler to control bandwidth. max
# bandwidth is 2Mbps.
altq on dc0 cbq bandwidth 2Mb queue { std_in, ssh_im_in, dns_in, bob_in }
# define the parameters for the child queues.
# std_in - the standard queue. any filter rule below that does not
# explicitly specify a queue will have its traffic added
# to this queue.
# ssh_im_in - interactive SSH and various instant message traffic.
# dns_in - DNS replies.
# bob_in - bandwidth reserved for Bob's workstation. allow him to
# borrow.
queue std_in cbq(default)
queue ssh_im_in priority 4
queue dns_in priority 5
queue bob_in bandwidth 80Kb cbq(borrow)
# ... in the filtering section of pf.conf ...
alice = "192.168.0.2"
bob = "192.168.0.3"
charlie = "192.168.0.4"
local_net = "192.168.0.0/24"
ssh_ports = "{ 22 2022 }"
im_ports = "{ 1863 5190 5222 }"
# filter rules for fxp0 inbound
block in on fxp0 all
# filter rules for fxp0 outbound
block out on fxp0 all
pass out on fxp0 inet proto tcp from (fxp0) to any flags S/SA \
keep state queue(std_out, tcp_ack_out)
pass out on fxp0 inet proto { udp icmp } from (fxp0) to any keep state
pass out on fxp0 inet proto { tcp udp } from (fxp0) to any port domain \
keep state queue dns_out
pass out on fxp0 inet proto tcp from (fxp0) to any port $ssh_ports \
flags S/SA keep state queue(std_out, ssh_im_out)
pass out on fxp0 inet proto tcp from (fxp0) to any port $im_ports \
flags S/SA keep state queue(ssh_im_out, tcp_ack_out)
# filter rules for dc0 inbound
block in on dc0 all
pass in on dc0 from $local_net
# filter rules for dc0 outbound
block out on dc0 all
pass out on dc0 from any to $local_net
pass out on dc0 proto { tcp udp } from any port domain to $local_net \
queue dns_in
pass out on dc0 proto tcp from any port $ssh_ports to $local_net \
queue(std_in, ssh_im_in)
pass out on dc0 proto tcp from any port $im_ports to $local_net \
queue ssh_im_in
pass out on dc0 from any to $bob queue bob_in

118
dist/pf/share/pf/faq-example3 vendored Normal file
View File

@ -0,0 +1,118 @@
# $OpenBSD: faq-example3,v 1.2 2003/08/06 16:04:45 henning Exp $
#
# Company Network
# http://www.openbsd.org/faq/pf/queueing.html#example2
#
# enable queueing on the external interface to queue packets going out
# to the Internet. use the cbq scheduler so that the bandwidth use of
# each queue can be controlled. the max outgoing bandwidth is 1.5Mbps.
altq on fxp0 cbq bandwidth 1.5Mb queue { std_ext, www_ext, boss_ext }
# define the parameters for the child queues.
# std_ext - the standard queue. also the default queue for
# outgoing traffic on fxp0.
# www_ext - container queue for WWW server queues. limit to
# 500Kbps.
# www_ext_http - http traffic from the WWW server
# www_ext_misc - all non-http traffic from the WWW server
# boss_ext - traffic coming from the boss's computer
queue std_ext cbq(default)
queue www_ext bandwidth 500Kb { www_ext_http, www_ext_misc }
queue www_ext_http priority 3 cbq(red)
queue www_ext_misc priority 1
queue boss_ext priority 3
# enable queueing on the internal interface to control traffic coming
# from the Internet or the DMZ. use the cbq scheduler to control the
# bandwidth of each queue. bandwidth on this interface is set to the
# maximum. traffic coming from the DMZ will be able to use all of this
# bandwidth while traffic coming from the Internet will be limited to
# 1.0Mbps (because 0.5Mbps (500Kbps) is being allocated to fxp1).
altq on dc0 cbq bandwidth 100% queue { net_int, www_int }
# define the parameters for the child queues.
# net_int - container queue for traffic from the Internet. bandwidth
# is 1.0Mbps.
# std_int - the standard queue. also the default queue for outgoing
# traffic on dc0.
# it_int - traffic to the IT Dept network.
# boss_int - traffic to the boss's PC.
# www_int - traffic from the WWW server in the DMZ.
queue net_int bandwidth 1.0Mb { std_int, it_int, boss_int }
queue std_int cbq(default)
queue it_int bandwidth 500Kb cbq(borrow)
queue boss_int priority 3
queue www_int cbq(red)
# enable queueing on the DMZ interface to control traffic destined for
# the WWW server. cbq will be used on this interface since detailed
# control of bandwidth is necessary. bandwidth on this interface is set
# to the maximum. traffic from the internal network will be able to use
# all of this bandwidth while traffic from the Internet will be limited
# to 500Kbps.
altq on fxp1 cbq bandwidth 100% queue { internal_dmz, net_dmz }
# define the parameters for the child queues.
# internal_dmz - traffic from the internal network.
# net_dmz - container queue for traffic from the Internet.
# net_dmz_http - http traffic.
# net_dmz_misc - all non-http traffic. this is also the default queue.
queue internal_dmz # no special settings needed
queue net_dmz bandwidth 500Kb { net_dmz_http, net_dmz_misc }
queue net_dmz_http priority 3 cbq(red)
queue net_dmz_misc priority 1 cbq(default)
# ... in the filtering section of pf.conf ...
main_net = "192.168.0.0/24"
it_net = "192.168.1.0/24"
int_nets = "{ 192.168.0.0/24, 192.168.1.0/24 }"
dmz_net = "10.0.0.0/24"
boss = "192.168.0.200"
wwwserv = "10.0.0.100"
# default deny
block on { fxp0, fxp1, dc0 } all
# filter rules for fxp0 inbound
pass in on fxp0 proto tcp from any to $wwwserv port { 21, \
> 49151 } flags S/SA keep state queue www_ext_misc
pass in on fxp0 proto tcp from any to $wwwserv port 80 \
flags S/SA keep state queue www_ext_http
# filter rules for fxp0 outbound
pass out on fxp0 from $int_nets to any keep state
pass out on fxp0 from $boss to any keep state queue boss_ext
# filter rules for dc0 inbound
pass in on dc0 from $int_nets to any keep state
pass in on dc0 from $it_net to any queue it_int
pass in on dc0 from $boss to any queue boss_int
pass in on dc0 proto tcp from $int_nets to $wwwserv port { 21, 80, \
> 49151 } flags S/SA keep state queue www_int
# filter rules for dc0 outbound
pass out on dc0 from dc0 to $int_nets
# filter rules for fxp1 inbound
pass in on fxp1 proto { tcp, udp } from $wwwserv to any port 53 \
keep state
# filter rules for fxp1 outbound
pass out on fxp1 proto tcp from any to $wwwserv port { 21, \
> 49151 } flags S/SA keep state queue net_dmz_misc
pass out on fxp1 proto tcp from any to $wwwserv port 80 \
flags S/SA keep state queue net_dmz_http
pass out on fxp1 proto tcp from $int_nets to $wwwserv port { 80, \
21, > 49151 } flags S/SA keep state queue internal_dmz

22
dist/pf/share/pf/queue1 vendored Normal file
View File

@ -0,0 +1,22 @@
# $OpenBSD: queue1,v 1.3 2003/01/20 16:14:23 henning Exp $
ext_if = "dc0"
altq on $ext_if cbq bandwidth 10Mb \
queue { deflt, http, ssh, mail, rsets }
queue deflt bandwidth 10% priority 0 cbq(default ecn)
queue http bandwidth 1.5Mb priority 3 { http_vhosts, http_cust1 }
queue http_vhosts bandwidth 40% cbq(borrow red)
queue http_cust1 bandwidth 0.5Mb
queue mail bandwidth 10% priority 1
queue ssh bandwidth 100Kb priority 7 cbq(borrow)
queue rsets bandwidth 7500b priority 0 cbq(red)
block return in on $ext_if inet all queue rsets
pass in on $ext_if inet proto tcp from any to any port 80 keep state queue http
pass out on $ext_if inet proto tcp from any to any port 22 keep state queue ssh
pass in on $ext_if inet proto tcp from any to any port 22 keep state queue ssh
pass out on $ext_if inet proto tcp from any to any port 25 keep state queue mail
pass out on $ext_if inet all keep state

28
dist/pf/share/pf/queue2 vendored Normal file
View File

@ -0,0 +1,28 @@
# $OpenBSD: queue2,v 1.2 2003/01/20 16:14:23 henning Exp $
# advanced queue example.
# give interactive ssh traffic priority over ssh bulk transfers (scp, sftp)
ext_if="dc0"
developerhosts="192.168.2.0/24"
employeehosts="192.168.0.0/23"
altq on $ext_if cbq bandwidth 5Mb queue { std, http, mail, ssh }
queue std bandwidth 10% cbq(default)
queue http bandwidth 60% priority 2 cbq(borrow red) { employees, developers }
queue developers bandwidth 75% cbq(borrow)
queue employees bandwidth 15%
queue mail bandwidth 10% priority 0 cbq(borrow ecn)
queue ssh bandwidth 20% cbq(borrow) { ssh_interactive, ssh_bulk }
queue ssh_interactive priority 7
queue ssh_bulk priority 0
block return out on $ext_if inet all queue std
pass out on $ext_if inet proto tcp from $developerhosts to any port 80 \
keep state queue developers
pass out on $ext_if inet proto tcp from $employeehosts to any port 80 \
keep state queue employees
pass out on $ext_if inet proto tcp from any to any port 22 \
keep state queue(ssh_bulk, ssh_interactive)
pass out on $ext_if inet proto tcp from any to any port 25 \
keep state queue mail

15
dist/pf/share/pf/queue3 vendored Normal file
View File

@ -0,0 +1,15 @@
# $OpenBSD: queue3,v 1.2 2003/01/20 16:14:23 henning Exp $
# simple PRIQ example
ext_if="lo0"
altq on $ext_if priq bandwidth 10Mb queue { pri-low pri-med pri-high }
queue pri-low priority 0
queue pri-med priority 1 priq(default)
queue pri-high priority 2
pass out on $ext_if proto tcp from any to any port 22 keep state \
queue(pri-med, pri-high)
pass out on $ext_if proto tcp from any to any port 80 keep state queue pri-med
pass in on $ext_if proto tcp from any to any port 80 keep state queue pri-low

19
dist/pf/share/pf/queue4 vendored Normal file
View File

@ -0,0 +1,19 @@
# $OpenBSD: queue4,v 1.2 2003/08/22 21:50:34 david Exp $
#
# Hierarchical queueing for a university.
# Three faculties; engineering, law and art are defined.
# Departments under the engineering faculty are defined as child queues.
# The total bandwidth for engineering faculty is shared between three
# departments. CS department gets the half of the bandwidth, EE and IE
# departments get the thirty percent and twenty percent of bandwidth
# respectively. These sibling departments can use more than their linkshare
# whenever there is no backlogged sibling queue but when a queue gets
# backlogged, it is guaranteed that the queue gets its linkshare.
altq on dc0 bandwidth 16Mb hfsc queue { eng law art }
queue eng bandwidth 10Mb { cs ee ie }
queue cs hfsc( default linkshare 50% )
queue ee hfsc( linkshare 30% )
queue ie hfsc( linkshare 20% )
queue law bandwidth 3Mb
queue art bandwidth 3Mb

7
dist/pf/share/pf/spamd vendored Normal file
View File

@ -0,0 +1,7 @@
# $OpenBSD: spamd,v 1.1 2003/08/22 15:25:01 henning Exp $
# spamd-setup puts addresses to be redirected into table <spamd>.
table <spamd> persist
no rdr on { lo0, lo1 } from any to any
rdr inet proto tcp from <spamd> to any port smtp -> 127.0.0.1 port 8025