# ipf.rules for deirdre

###########################
# sis0: Outside Interface #
###########################

count in on sis0 all
count out on sis0 all

count in on sis0 from !62.153.245.1/24 to any
count out on sis0 from 192.168.0.1/24 to !62.153.245.1/24

pass out quick on sis0 proto tcp from any to any keep state
pass out quick on sis0 proto udp from any to any keep state
pass out quick on sis0 proto icmp from any to any keep state

block out quick on sis0 all

###################################
# Non-routable traffic is blocked #
###################################

# NOTE: multicast traffic is also blocked

block in log quick on sis0 from 192.168.0.0/16 to any  # RFC 1918 private IP
block in log quick on sis0 from 172.16.0.0/12 to any   # RFC 1918 private IP
block in log quick on sis0 from 10.0.0.0/8 to any      # RFC 1918 private IP
block in log quick on sis0 from 127.0.0.0/8 to any     # loopback
block in log quick on sis0 from 0.0.0.0/8 to any       # loopback
block in log quick on sis0 from 169.254.0.0/16 to any  # DHCP auto-config
block in log quick on sis0 from 192.0.2.0/24 to any    # reserved for doc's
block in log quick on sis0 from 204.152.64.0/23 to any # Sun cluster interconnect
block in quick on sis0 from 224.0.0.0/3 to any          # Class D & E multicast

####################################
# Pass traffic for port forwarding #
####################################

pass in quick on sis0 proto udp from any to any port = 5060 keep state keep frags
pass in quick on sis0 proto udp from any to any port = 5004 keep state keep frags

###########################
# Block remaining traffic #
###########################

# This is also possible:
# 
# block return-rst in log quick on sis0 proto tcp from any to any

block in quick on sis0 proto tcp from any to any flags S/SA
block return-icmp-as-dest(port-unr) in log quick on sis0 proto udp from any to any
block in log quick on sis0 all

##########################
# sis1: Inside Interface #
##########################

pass out quick on sis1 proto tcp from any to any keep state 
pass out quick on sis1 proto udp from any to any keep state 
pass out quick on sis1 proto icmp from any to any keep state 

block out quick on sis1 all

pass in quick on sis1 proto tcp from any to any keep state 
pass in quick on sis1 proto udp from any to any keep state 
pass in quick on sis1 proto icmp from any to any keep state 

block in quick on sis1 all

###########################
# lo0: Loopback Interface #
###########################

pass in quick on lo0 all 
pass out quick on lo0 all