Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # $OpenBSD: pf.conf,v 1.49 2009/09/17 06:39:03 jmc Exp $
- #
- # See pf.conf(5) for syntax and examples.
- # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
- # in /etc/sysctl.conf if packets are to be forwarded between interfaces.
- #Our network interfaces
- int_if_lan = "nfe0"
- int_if_vpn = "tun0"
- ext_if_cable = "re0"
- ext_if_t1 = "re1"
- #Our External Gateways
- ext_gw_cable = "10.1.10.1"
- ext_gw_t1 = "69.198.58.213"
- #Our Internal/VPN subnets
- lan_subnet_cable = "192.168.1.0/24"
- lan_subnet_t1 = "192.169.1.0/24"
- vpn_subnet = "10.8.0.0/24"
- #types of incoming icmp traffic we want to handle
- icmp_types = "echoreq"
- #Services we want open to the outside
- tcp_services="{22}"
- udp_services="{53,1194}"
- #skip local iface
- set skip on lo
- #drop stuff we dont want
- set block-policy drop
- #Deny by default all traffic without rules
- block in log
- block out log
- #Antispoof
- antispoof log for {$int_if_lan,$int_if_vpn,$ext_if_cable,$ext_if_t1}
- #NAT addresses from local subnets leaving external interfaces
- match out on $ext_if_cable from $lan_subnet_cable \
- nat-to ($ext_if_cable)
- match out on $ext_if_t1 from $lan_subnet_t1 \
- nat-to ($ext_if_t1)
- match out on $ext_if_t1 from $vpn_subnet \
- nat-to ($ext_if_t1)
- #Pass in traffic from defined subnets sent to the gateway
- pass in quick on $int_if_lan from \
- {$lan_subnet_cable,$lan_subnet_t1,$vpn_subnet} to $int_if_lan
- pass in quick on $int_if_vpn from \
- {$lan_subnet_cable,$lan_subnet_t1,$vpn_subnet} to $int_if_vpn
- #Pass out traffic on local interfaces destined for defined subnets
- pass out on $int_if_lan to {$lan_subnet_t1,$lan_subnet_cable}
- pass out on $int_if_vpn to $vpn_subnet
- #Pass in packets from internal subnets
- #Route them to the correct exit point
- pass in quick on $int_if_lan from $lan_subnet_cable \
- route-to ($ext_if_cable $ext_gw_cable) keep state
- pass in quick on $int_if_lan from $lan_subnet_t1 \
- route-to ($ext_if_t1 $ext_gw_t1) keep state
- pass in quick on $int_if_vpn from $vpn_subnet \
- route-to ($ext_if_t1 $ext_gw_t1) keep state
- #General pass out
- pass out on $ext_if_t1
- pass out on $ext_if_cable
- #Services
- pass in on egress inet proto tcp from any to any port $tcp_services
- pass in on egress inet proto udp from any to any port $udp_services
- #FTP Active Support
- pass in quick on $int_if_lan proto tcp to port 21 rdr-to 127.0.0.1 port 8021
- pass in quick on $int_if_vpn proto tcp to port 21 rdr-to 127.0.0.1 port 8021
- anchor "ftp-proxy/*"
- #ICMP
- pass in inet proto icmp all icmp-type $icmp_types
- #Allow all internal traffic
- pass in on $int_if_vpn
- pass in on $int_if_lan
- #Make sure things go out the correct interface
- #pass out on $ext_if_t1 from $ext_if_cable \
- # route-to ($ext_if_cable $ext_gw_cable)
- #pass out on $ext_if_cable from $ext_if_t1 \
- # route-to ($ext_if_t1 $ext_gw_t1)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement