bash# ./keeper_example.py --test bash$ nc localhost 8007 Your wish is my command. dfd_keeper>show nat on xl2 from xl1:network to any -> (xl2) # Allow all loopback traffic. pass quick on lo0 # Default deny. block all # Allow LAN to bomb out quickly. block return on xl1 # Don't allow other networks to impersonate LAN. antispoof quick for xl1 # Block leakage of LAN stuff to anywhere else. block out log quick on ! xl1 to xl1:network # Block hosts we have specified in both directions. block in log quick on xl2 from [] to any block out log quick on xl2 from any to [] # Allow firewall to talk to LAN. pass out quick on xl1 from xl1 to xl1:network keep state # Allow anything in from LAN that isn't destined to the LAN. pass in quick on xl1 to ! xl1:network keep state allow-opts # Allow LAN hosts to SSH into this box. pass in quick on xl1 proto tcp from any to xl1 port ssh flags S/SA # Allow connections out WAN, and randomize SEQ #s. pass out quick on xl2 all modulate state allow-opts It is done. dfd_keeper>help drop_state: Drop a particular state table entry. Takes src and optional dst. flush: Flush the state table. This is done automatically. sync: Synchronize the rules with pf. This is done automatically. show: This command shows the active rules to the client. help: Show help to the user. A command may be provided as an argument. wan: Switches on/off connectivity with the Internet. For emergencies only! block: block [add|del] host Block an IP from sending in data via WAN interface either direction. XXX: Assumes it is on the remote side of that interface. It is done. dfd_keeper>block add 1.2.3.4 It is done. dfd_keeper>show nat on xl2 from xl1:network to any -> (xl2) # Allow all loopback traffic. pass quick on lo0 # Default deny. block all # Allow LAN to bomb out quickly. block return on xl1 # Don't allow other networks to impersonate LAN. antispoof quick for xl1 # Block leakage of LAN stuff to anywhere else. block out log quick on ! xl1 to xl1:network # Block hosts we have specified in both directions. block in log quick on xl2 from 1.2.3.4 to any block out log quick on xl2 from any to 1.2.3.4 # Allow firewall to talk to LAN. pass out quick on xl1 from xl1 to xl1:network keep state # Allow anything in from LAN that isn't destined to the LAN. pass in quick on xl1 to ! xl1:network keep state allow-opts # Allow LAN hosts to SSH into this box. pass in quick on xl1 proto tcp from any to xl1 port ssh flags S/SA # Allow connections out WAN, and randomize SEQ #s. pass out quick on xl2 all modulate state allow-opts It is done. dfd_keeper>block add 2.3.4.5 It is done. dfd_keeper>show nat on xl2 from xl1:network to any -> (xl2) # Allow all loopback traffic. pass quick on lo0 # Default deny. block all # Allow LAN to bomb out quickly. block return on xl1 # Don't allow other networks to impersonate LAN. antispoof quick for xl1 # Block leakage of LAN stuff to anywhere else. block out log quick on ! xl1 to xl1:network # Block hosts we have specified in both directions. block in log quick on xl2 from { 1.2.3.4 2.3.4.5 } to any block out log quick on xl2 from any to { 1.2.3.4 2.3.4.5 } # Allow firewall to talk to LAN. pass out quick on xl1 from xl1 to xl1:network keep state # Allow anything in from LAN that isn't destined to the LAN. pass in quick on xl1 to ! xl1:network keep state allow-opts # Allow LAN hosts to SSH into this box. pass in quick on xl1 proto tcp from any to xl1 port ssh flags S/SA # Allow connections out WAN, and randomize SEQ #s. pass out quick on xl2 all modulate state allow-opts It is done. dfd_keeper>exit bash$