API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Jun 27th, 2017
64
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.89 KB | None | 0 0
raw download clone embed print report
  1. int_if="rl0"
  2. ext_if="vr0"
  3. ext_ip="192.168.10.2"
  4. int_ip="10.129.13.251"
  5. comps="{10.129.13.241, 10.129.13.234, 10.129.13.211, 10.129.13.252, 10.129.13.218}"
  6. #comps="10.129.13.0/24"
  7. internal="10.0.0.0/8"
  8. web_ports="{80, 443}"
  9. good_ports="{80, 443, 110, 25, 993, 465, 2041, 2042, 6667}"
  10. messaging_ports="{2041, 2042, 6667}"
  11. mail_ports="{110, 25, 993, 465}"
  12. set skip on lo
  13.  
  14. scrub in all
  15.  
  16. altq on $ext_if priq bandwidth 220Kb queue { dns_out, tcp_ack_out,\
  17. std_out, messaging_out, mail_out}
  18.  
  19. queue std_out priq(default)
  20. queue mail_out priority 2 priq(red)
  21. queue messaging_out priority 4 priq(red)
  22. queue dns_out priority 5
  23. queue tcp_ack_out priority 6
  24.  
  25. altq on $int_if cbq bandwidth 220Kb queue { std_in, messaging_in, dns_in, \
  26. mail_in}
  27.  
  28. queue std_in bandwidth 140Kb cbq(default)
  29. queue messaging_in bandwidth 20Kb cbq priority 4
  30. queue dns_in bandwidth 10Kb cbq priority 5
  31. queue mail_in bandwidth 50Kb cbq(borrow)
  32.  
  33. nat-anchor "ftp-proxy/*"
  34. rdr-anchor "ftp-proxy/*"
  35. rdr pass on $int_if proto tcp from $comps to any port 21 -> 127.0.0.1 port 8021
  36. rdr on $int_if inet proto tcp from $comps to any port 80 -> 127.0.0.1 port 3128
  37. nat on $ext_if from $comps to any -> $ext_ip
  38.  
  39. anchor "ftp-proxy/*"
  40.  
  41. # Strange behavior
  42. block in on $int_if from 10.129.13.210
  43. block in on $int_if from 10.129.13.237
  44.  
  45. # I am not router for internal network except myself
  46. block in on $int_if from $internal to $internal
  47. block in on $int_if to 10.129.13.255
  48.  
  49. # Allow good ports
  50. pass in on $int_if proto tcp from $comps to any port $good_ports
  51.  
  52. # All to me are allowed
  53. pass in on $int_if proto tcp from $comps to $int_ip
  54. pass in on $int_if proto udp from $comps to $int_ip
  55. pass out on $int_if proto tcp from $int_ip to $comps
  56. pass out on $int_if proto udp from $int_ip to $comps
  57.  
  58. # Allow pings
  59. pass in on $int_if proto icmp from $comps to any
  60.  
  61. # Output rules
  62. block out on $ext_if all
  63. pass out on $ext_if inet proto tcp from ($ext_if) queue (std_out, tcp_ack_out)
  64. pass out on $ext_if inet proto {udp, icmp} from ($ext_if)
  65. pass out on $ext_if inet proto {tcp, udp} from ($ext_if) to port domain queue dns_out
  66. pass out on $ext_if inet proto tcp from ($ext_if) to port $messaging_ports queue (std_out, messaging_out)
  67. pass out on $ext_if inet proto tcp from ($ext_if) to port $mail_ports queue mail_out
  68. pass out on $ext_if inet proto tcp from ($ext_if) to port $web_ports queue (std_out)
  69.  
  70. # Input rules
  71. block out on $int_if all
  72. pass out on $int_if to $comps
  73. pass out on $int_if proto {tcp, udp} from port domain to $comps queue dns_in
  74. pass out on $int_if proto tcp from port $messaging_ports to $comps queue messaging_in
  75. pass out on $int_if proto tcp from port $mail_ports queue mail_in
  76. pass out on $int_if proto tcp from port $web_ports to $comps queue std_in
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!