# $OpenBSD: pf.conf,v 1.49 2009/09/17 06:39:03 jmc Exp $## See pf.conf

1. # $OpenBSD: pf.conf,v 1.49 2009/09/17 06:39:03 jmc Exp $
2. #
3. # See pf.conf(5) for syntax and examples.
4. # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
5. # in /etc/sysctl.conf if packets are to be forwarded between interfaces.
6.  
7. #Our network interfaces
8. int_if_lan = "nfe0"
9. int_if_vpn = "tun0"
10. ext_if_cable = "re0"
11. ext_if_t1 = "re1"
12.  
13. #Our External Gateways
14. ext_gw_cable = "10.1.10.1"
15. ext_gw_t1 = "69.198.58.213"
16.  
17. #Our Internal/VPN subnets
18. lan_subnet_cable = "192.168.1.0/24"
19. lan_subnet_t1 = "192.169.1.0/24"
20. vpn_subnet = "10.8.0.0/24"
21.  
22. #types of incoming icmp traffic we want to handle
23. icmp_types = "echoreq"
24.  
25. #Services we want open to the outside
26. tcp_services="{22}"
27. udp_services="{53,1194}"
28.  
29. #skip local iface
30. set skip on lo
31.  
32. #drop stuff we dont want
33. set block-policy drop
34.  
35. #Deny by default all traffic without rules
36. block in log
37. block out log
38.  
39. #Antispoof
40. antispoof log for {$int_if_lan,$int_if_vpn,$ext_if_cable,$ext_if_t1}
41.  
42. #NAT addresses from local subnets leaving external interfaces
43. match out on $ext_if_cable from $lan_subnet_cable \
44. nat-to ($ext_if_cable)
45. match out on $ext_if_t1 from $lan_subnet_t1 \
46. nat-to ($ext_if_t1)
47. match out on $ext_if_t1 from $vpn_subnet \
48. nat-to ($ext_if_t1)
49.  
50. #Pass in traffic from defined subnets sent to the gateway
51. pass in quick on $int_if_lan from \
52. {$lan_subnet_cable,$lan_subnet_t1,$vpn_subnet} to $int_if_lan
53. pass in quick on $int_if_vpn from \
54. {$lan_subnet_cable,$lan_subnet_t1,$vpn_subnet} to $int_if_vpn
55.  
56. #Pass out traffic on local interfaces destined for defined subnets
57. pass out on $int_if_lan to {$lan_subnet_t1,$lan_subnet_cable}
58. pass out on $int_if_vpn to $vpn_subnet
59.  
60. #Pass in packets from internal subnets
61. #Route them to the correct exit point
62. pass in quick on $int_if_lan from $lan_subnet_cable \
63. route-to ($ext_if_cable $ext_gw_cable) keep state
64. pass in quick on $int_if_lan from $lan_subnet_t1 \
65. route-to ($ext_if_t1 $ext_gw_t1) keep state
66. pass in quick on $int_if_vpn from $vpn_subnet \
67. route-to ($ext_if_t1 $ext_gw_t1) keep state
68.  
69. #General pass out
70. pass out on $ext_if_t1
71. pass out on $ext_if_cable
72.  
73. #Services
74. pass in on egress inet proto tcp from any to any port $tcp_services
75. pass in on egress inet proto udp from any to any port $udp_services
76.  
77. #FTP Active Support
78. pass in quick on $int_if_lan proto tcp to port 21 rdr-to 127.0.0.1 port 8021
79. pass in quick on $int_if_vpn proto tcp to port 21 rdr-to 127.0.0.1 port 8021
80. anchor "ftp-proxy/*"
81.  
82. #ICMP
83. pass in inet proto icmp all icmp-type $icmp_types
84.  
85. #Allow all internal traffic
86. pass in on $int_if_vpn
87. pass in on $int_if_lan
88.  
89. #Make sure things go out the correct interface
90. #pass out on $ext_if_t1 from $ext_if_cable \
91. # route-to ($ext_if_cable $ext_gw_cable)
92. #pass out on $ext_if_cable from $ext_if_t1 \
93. # route-to ($ext_if_t1 $ext_gw_t1)