IPFILTERIRIX
Here's a simple example of config ipfilterd on IRIX:
1.You should probably systune 'ipfilterd_inactive_behavior = 0' before you start experimenting with this so that you don't kill your connection totally. #echo yes | systune ipfilterd_inactive_behavior 0
2. vi /etc/ipfilterd.conf # # ipfilterd.conf # $Revision: 1.3 $ # # Configuration file for ipfilterd(1M) IP layer packet filtering. # Lines that begin with # are comments and are ignored. # Lines begin with a keyword, followed either by a macro definition or # by an optional interface filter, which may be followed by a protocol # filter. # Both macros and filters use SGI's netsnoop(1M) filter syntax. # # The currently supported keywords are: # accept : accept all packets matching this filter # reject : silently discard packets matching this filter # define : define a new macro to add to the standard netsnoop macros # # See the ipfilterd(1M) man page for examples of filters and macros. # # The network administrator may find the following macros useful: # define ip.netAsrc (src&0xff000000)=$1 define ip.netAdst (dst&0xff000000)=$1 define ip.netBsrc (src&0xffff0000)=$1 define ip.netBdst (dst&0xffff0000)=$1 define ip.netCsrc (src&0xffffff00)=$1 define ip.netCdst (dst&0xffffff00)=$1 define ip.notnetAsrc not((src&0xff000000)=$1) define ip.notnetAdst not((dst&0xff000000)=$1) define ip.notnetBsrc not((src&0xffff0000)=$1) define ip.notnetBdst not((dst&0xffff0000)=$1) define ip.notnetCsrc not((src&0xffffff00)=$1) define ip.notnetCdst not((dst&0xffffff00)=$1) # # Additional macros: # # Filters follow: # # Allow your class C nett to do it all: accept ip.netCsrc XXX.XXX.XXX.0 # # Allow incoming secure shell from everywhere accept -i ec0 tcp.dport 22 # # Allow incoming http from everywhere accept -i ec0 tcp.dport 80 # # Allow incoming ftp + ftp-data from everywhere (do you really want this?) accept -i ec0 tcp.dport 21 accept -i ec0 tcp.dport 20 # # allow in identd. accept -i ec0 tcp.dport auth # # reject all other incoming tcp SYNs so that no one can connect reject -i ec0 ip.dst my.ip.add.res and tcp.flags == SYN # # reject what are typically X connections (use ssh forwarding instead) reject -i ec0 ip.dst my.ip.add.res and tcp.dport > 5999 and tcp.dport < 6011 # # allow in non-privileged ports (remember to set "UsePrivilegedPort no" in # /etc/ssh-config!) accept -i ec0 tcp.dport > 1023 accept -i ec0 udp.dport > 1023 # # allow in certain ICMP traffic accept -i ec0 icmp.type == ECHO accept -i ec0 icmp.type == ECHOREPLY accept -i ec0 icmp.type == UNREACHABLE accept -i ec0 icmp.type == TIMXCEED