API tools faq
paste
Advertisement
Guest User

pf.conf

a guest
Jan 23rd, 2015
321
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.27 KB | None | 0 0
raw download clone embed print report
  1. # http://draft.scyphus.co.jp/freebsd/nat.html
  2.  
  3. ##### COMMANDS #####
  4. #
  5. # tcpdump -netttr /var/log/pflog View the logfile
  6. # tcpdump -nettti pflog0 Tail the logfile (realtime)
  7. #
  8. # pfctl -e Enable pf
  9. # pfctl -d Disable pf
  10. #
  11. # pfctl -f /etc/pf.conf Load the pf.conf file
  12. # pfctl -nf /etc/pf.conf Parse the file, but don't load it
  13. # pfctl -F all Flush all rules
  14. # pfctl -Nf /etc/pf.conf Load only the NAT rules from the file
  15. # pfctl -Rf /etc/pf.conf Reload only filter rules from the file
  16. # pfctl -Fa -f /etc/pf.conf Reload everything
  17. #
  18. # pfctl -sn Show current NAT rules
  19. # pfctl -sr Show current filter rules
  20. # pfctl -ss Show current state table
  21. # pfctl -si Show filter stats and counters
  22. # pfctl -sa Show everything
  23. #
  24. # Note: Pipe the Show filter rules command to less -N for line numbers.
  25. # This helps match up entries in the pflog to the actual rule.
  26.  
  27. ## Options ###
  28.  
  29. ### Macros ###
  30. ext_if = "re1" # External network interface for IPv4
  31. ext_if6 = "re1" # External network interface for IPv6
  32. ext_addr = "NN.NN.NN.NN" # External IPv4 address (i.e., global)
  33. int_if = "re0" # Internal network interface for IPv4
  34. int_if6 = "re0" # Internal network interface for IPv6
  35. int_addr = "192.168.2.254" # Internal IPv4 address (i.e., gateway for private network)
  36. int_network = "192.168.2.0/24" # Internal IPv4 network
  37. WinSvr2008 = "192.168.2.2"
  38.  
  39.  
  40. ### Tables ###
  41. # Host local address
  42. table <local> const { 127.0.0.1 }
  43. # IPv4 private address ranges
  44. table <private> const { 10/8, 172.16/12, 192.168/16 }
  45. # Special-use IPv4 addresses defined in RFC3330
  46. table <special> const { 0/8, 14/8, 24/8, 39/8, 127/8, 128.0/16, 169.254/16, 192.0.0/24, 192.0.2/24, 192.88.99/24, 198.18/15, 240/4 }
  47.  
  48. # Block P2P
  49. # http://www.benhup.com/?mf=freebsd&sf=freebsd8.2-p9_04_peerblock
  50. table <block_p2p> persist file "/etc/pf/block-p2p.pf"
  51.  
  52.  
  53. # LIMITS
  54. set limit { frags 30000, states 100000, table-entries 300000 }
  55. ### Scrub: Packet normalization ###
  56.  
  57.  
  58. # Scrub for all incoming packets
  59. scrub in all
  60. # Randomize the ID field for all outgoing packets
  61. scrub out all random-id
  62. # If you have MTU problem or something like that
  63. #scrub out all random-id max-mss 1400
  64.  
  65. ### NAT ###
  66. #RDP to WinSvr2008
  67. rdr on $ext_if proto tcp from any to any port 3389 -> $WinSvr2008
  68.  
  69. # Redirect direct/local web traffic to local web server.
  70. rdr on $int_if proto tcp from 192.168.2.254/32 to 192.168.2.254/32 port 80 -> 192.168.2.254 port 80
  71. rdr on $int_if proto tcp from 192.168.2.254/32 to 192.168.2.254/32 port 443 -> 192.168.2.254 port 443
  72.  
  73. # Squid Transparent Proxy
  74. # refer http://www.benzedrine.cx/tranint_addr.html
  75. rdr on $int_if proto tcp from $int_network to any port 80 -> $int_addr port 13128
  76. #rdr on $int_if proto tcp from $int_network to any port 443 -> $int_addr port 13129
  77.  
  78. # SMTP redirection
  79. rdr on $int_if proto tcp from $int_network to any port 25 -> $int_addr port 587
  80. rdr on $int_if proto tcp from $int_network to any port 110 -> $int_addr port 110
  81.  
  82. # Let all other stuff go out
  83. nat on $ext_if from $int_network to ! <private> -> $ext_addr
  84.  
  85.  
  86. ### Filters ###
  87.  
  88. # P2P Blocking
  89. block log quick from any to <block_p2p> label "Attempted p2p-sniffer traffic"
  90.  
  91. # Permit keep-state packets for UDP and TCP on external interfaces
  92. pass out quick on $ext_if proto udp all keep state
  93. pass out quick on $ext_if6 proto udp all keep state
  94. pass out quick on $ext_if proto tcp all modulate state flags S/SA
  95. pass out quick on $ext_if6 proto tcp all modulate state flags S/SA
  96.  
  97. # Permit any packets from internal network to this host
  98. pass in quick on $int_if inet from $int_network to $int_addr
  99.  
  100. # Permit established sessions from internal network to any (incl. the Internet)
  101. pass in quick on $int_if inet from $int_network to any keep state
  102. # If you want to limit the number of sessions per NAT, nodes per NAT (simultaneously), and sessions per source IP
  103. # Please refer to <http://www.openbsd.org/faq/pf/filter.html> for greater detailed information
  104. #pass in quick on $int_if inet from $int_network to any keep state (max 30000, source-track rule, max-src-nodes 100, max-src-states 500 )
  105.  
  106. # Permit and log all packets from clients in private network through NAT
  107. pass in quick log on $int_if all
  108.  
  109. # Pass any other packets
  110. pass in all
  111. pass out all
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!