1*7c478bd9Sstevel@tonic-gate# 2*7c478bd9Sstevel@tonic-gate# log all inbound packet on le0 which has IP options present 3*7c478bd9Sstevel@tonic-gate# 4*7c478bd9Sstevel@tonic-gatelog in on le0 from any to any with ipopts 5*7c478bd9Sstevel@tonic-gate# 6*7c478bd9Sstevel@tonic-gate# block any inbound packets on le0 which are fragmented and "too short" to 7*7c478bd9Sstevel@tonic-gate# do any meaningful comparison on. This actually only applies to TCP 8*7c478bd9Sstevel@tonic-gate# packets which can be missing the flags/ports (depending on which part 9*7c478bd9Sstevel@tonic-gate# of the fragment you see). 10*7c478bd9Sstevel@tonic-gate# 11*7c478bd9Sstevel@tonic-gateblock in log quick on le0 from any to any with short frag 12*7c478bd9Sstevel@tonic-gate# 13*7c478bd9Sstevel@tonic-gate# log all inbound TCP packets with the SYN flag (only) set 14*7c478bd9Sstevel@tonic-gate# (NOTE: if it were an inbound TCP packet with the SYN flag set and it 15*7c478bd9Sstevel@tonic-gate# had IP options present, this rule and the above would cause it 16*7c478bd9Sstevel@tonic-gate# to be logged twice). 17*7c478bd9Sstevel@tonic-gate# 18*7c478bd9Sstevel@tonic-gatelog in on le0 proto tcp from any to any flags S/SA 19*7c478bd9Sstevel@tonic-gate# 20*7c478bd9Sstevel@tonic-gate# block and log any inbound ICMP unreachables 21*7c478bd9Sstevel@tonic-gate# 22*7c478bd9Sstevel@tonic-gateblock in log on le0 proto icmp from any to any icmp-type unreach 23*7c478bd9Sstevel@tonic-gate# 24*7c478bd9Sstevel@tonic-gate# block and log any inbound UDP packets on le0 which are going to port 2049 25*7c478bd9Sstevel@tonic-gate# (the NFS port). 26*7c478bd9Sstevel@tonic-gate# 27*7c478bd9Sstevel@tonic-gateblock in log on le0 proto udp from any to any port = 2049 28*7c478bd9Sstevel@tonic-gate# 29*7c478bd9Sstevel@tonic-gate# quickly allow any packets to/from a particular pair of hosts 30*7c478bd9Sstevel@tonic-gate# 31*7c478bd9Sstevel@tonic-gatepass in quick from any to 10.1.3.2/32 32*7c478bd9Sstevel@tonic-gatepass in quick from any to 10.1.0.13/32 33*7c478bd9Sstevel@tonic-gatepass in quick from 10.1.3.2/32 to any 34*7c478bd9Sstevel@tonic-gatepass in quick from 10.1.0.13/32 to any 35*7c478bd9Sstevel@tonic-gate# 36*7c478bd9Sstevel@tonic-gate# block (and stop matching) any packet with IP options present. 37*7c478bd9Sstevel@tonic-gate# 38*7c478bd9Sstevel@tonic-gateblock in quick on le0 from any to any with ipopts 39*7c478bd9Sstevel@tonic-gate# 40*7c478bd9Sstevel@tonic-gate# allow any packet through 41*7c478bd9Sstevel@tonic-gate# 42*7c478bd9Sstevel@tonic-gatepass in from any to any 43*7c478bd9Sstevel@tonic-gate# 44*7c478bd9Sstevel@tonic-gate# block any inbound UDP packets destined for these subnets. 45*7c478bd9Sstevel@tonic-gate# 46*7c478bd9Sstevel@tonic-gateblock in on le0 proto udp from any to 10.1.3.0/24 47*7c478bd9Sstevel@tonic-gateblock in on le0 proto udp from any to 10.1.1.0/24 48*7c478bd9Sstevel@tonic-gateblock in on le0 proto udp from any to 10.1.2.0/24 49*7c478bd9Sstevel@tonic-gate# 50*7c478bd9Sstevel@tonic-gate# block any inbound TCP packets with only the SYN flag set that are 51*7c478bd9Sstevel@tonic-gate# destined for these subnets. 52*7c478bd9Sstevel@tonic-gate# 53*7c478bd9Sstevel@tonic-gateblock in on le0 proto tcp from any to 10.1.3.0/24 flags S/SA 54*7c478bd9Sstevel@tonic-gateblock in on le0 proto tcp from any to 10.1.2.0/24 flags S/SA 55*7c478bd9Sstevel@tonic-gateblock in on le0 proto tcp from any to 10.1.1.0/24 flags S/SA 56*7c478bd9Sstevel@tonic-gate# 57*7c478bd9Sstevel@tonic-gate# block any inbound ICMP packets destined for these subnets. 58*7c478bd9Sstevel@tonic-gate# 59*7c478bd9Sstevel@tonic-gateblock in on le0 proto icmp from any to 10.1.3.0/24 60*7c478bd9Sstevel@tonic-gateblock in on le0 proto icmp from any to 10.1.1.0/24 61*7c478bd9Sstevel@tonic-gateblock in on le0 proto icmp from any to 10.1.2.0/24 62