# $Revision: 1.3 $ $Date: 2003/11/05 00:48:23 $

#
# Handling applied to all packets
#

# Block garbage
block in log quick from any to any with ipopts
block in log quick proto tcp from any to any with short

# System loopback interface
pass in quick on lo0 all
pass out quick on lo0 all

#
# Outbound traffic
#

# Default accept
pass out on (thisMachineCardDev) all head 100

# Prevent loopback interface from going outside
block out quick from 127.0.0.0/8 to any group 100
block out quick from any to 127.0.0.0/8 group 100

# Prevent traffic for this machine's IP from going outside
block out quick from any to (thisMachineIP)/32 group 100

# Default accept since using default deny stance in ipfilter
pass out quick on (thisMachineCardDev) all keep state group 100

#
# Inbound traffic
#

# Default deny
block in on (thisMachineCardDev) all head 200

# Prevent loopback interface from coming from outside
block in quick from 127.0.0.0/8 to any group 200

# Prevent traffic from this machine's IP coming from outside
block in quick from (thisMachineIP)/32 to any group 200

# Allow access to public services
pass in quick proto tcp from any to any port = ssh keep state group 200
pass in quick proto tcp from any to any port = smtp keep state group 200

# Generate notification of rejected connections/packets
block return-rst in log quick proto tcp from any to any flags S/SA group 200
block return-icmp(net-unr) in log quick proto udp all group 200