2004-09-14 01:07:19 +00:00
|
|
|
# $FreeBSD$
|
2007-11-11 01:16:51 +00:00
|
|
|
# $OpenBSD: faq-example1,v 1.5 2006/10/07 04:48:01 mcbride Exp $
|
2004-09-14 01:07:19 +00:00
|
|
|
|
|
|
|
#
|
|
|
|
# Firewall for Home or Small Office
|
|
|
|
# http://www.openbsd.org/faq/pf/example1.html
|
|
|
|
#
|
|
|
|
|
|
|
|
|
|
|
|
# macros
|
2007-11-11 01:16:51 +00:00
|
|
|
ext_if="fxp0"
|
|
|
|
int_if="xl0"
|
2004-09-14 01:07:19 +00:00
|
|
|
|
2007-11-11 01:16:51 +00:00
|
|
|
tcp_services="{ 22, 113 }"
|
|
|
|
icmp_types="echoreq"
|
|
|
|
|
|
|
|
comp3="192.168.0.3"
|
2004-09-14 01:07:19 +00:00
|
|
|
|
|
|
|
# options
|
|
|
|
set block-policy return
|
|
|
|
set loginterface $ext_if
|
|
|
|
|
2007-11-11 01:16:51 +00:00
|
|
|
set skip on lo
|
|
|
|
|
2004-09-14 01:07:19 +00:00
|
|
|
# scrub
|
2007-11-11 01:16:51 +00:00
|
|
|
scrub in
|
2004-09-14 01:07:19 +00:00
|
|
|
|
|
|
|
# nat/rdr
|
2012-06-28 03:30:17 +00:00
|
|
|
nat on $ext_if inet from !($ext_if) -> ($ext_if:0)
|
2007-11-11 01:16:51 +00:00
|
|
|
nat-anchor "ftp-proxy/*"
|
|
|
|
rdr-anchor "ftp-proxy/*"
|
|
|
|
|
|
|
|
rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
|
|
|
|
rdr on $ext_if proto tcp from any to any port 80 -> $comp3
|
2004-09-14 01:07:19 +00:00
|
|
|
|
|
|
|
# filter rules
|
2007-11-11 01:16:51 +00:00
|
|
|
block in
|
2004-09-14 01:07:19 +00:00
|
|
|
|
2007-11-11 01:16:51 +00:00
|
|
|
pass out
|
2004-09-14 01:07:19 +00:00
|
|
|
|
2007-11-11 01:16:51 +00:00
|
|
|
anchor "ftp-proxy/*"
|
|
|
|
antispoof quick for { lo $int_if }
|
2004-09-14 01:07:19 +00:00
|
|
|
|
2007-11-11 01:16:51 +00:00
|
|
|
pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services
|
2004-09-14 01:07:19 +00:00
|
|
|
|
2007-11-11 01:16:51 +00:00
|
|
|
pass in on $ext_if inet proto tcp from any to $comp3 port 80 \
|
|
|
|
synproxy state
|
2004-09-14 01:07:19 +00:00
|
|
|
|
2007-11-11 01:16:51 +00:00
|
|
|
pass in inet proto icmp all icmp-type $icmp_types
|
2004-09-14 01:07:19 +00:00
|
|
|
|
2007-11-11 01:16:51 +00:00
|
|
|
pass quick on $int_if no state
|