SHARE
TWEET

Untitled

AngelVG Jul 11th, 2018 273 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # pre-OpenBSD 4.7
  2. #
  3. # cat /usr/src/UPDATING | grep OpenBSD
  4. #
  5. # https://www.freebsd.org/doc/handbook/firewalls-pf.html
  6. # http://www.undeadly.org/cgi?action=article&sid=20060927091645
  7. # https://calomel.org/pf_config.html
  8. # https://calomel.org/pf_hfsc.html
  9. # http://dant.net.ru/calomel/pf_config.html
  10. # http://microsux.dk/?p=321
  11. # https://ackspace.nl/wiki/OpenBSD_Firewall_/_PF
  12. # http://prefetch.net/articles/monitoringpf.html
  13. # http://www.skeptech.org/blog/2013/01/15/pf-limits-in-openbsd
  14. # https://www.packetmischief.ca/2011/02/17/hitting-the-pf-state-table-limit
  15. #
  16. # PF understands rules using port names equally well as it does port numbers.
  17. # The names are the ones listed in /etc/services.
  18. # http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml
  19. # http://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml
  20. # http://www.iana.org/assignments/icmpv6-parameters/icmpv6-parameters.xhtml
  21.  
  22. #-------------------------------------------------------------------------------
  23. # (1) PF: List and Macros
  24. #-------------------------------------------------------------------------------
  25.  
  26. # Interfaces
  27.  ext_if = "bge0"        # macro for external interface - use tun0 for PPPoE
  28.  int_if = "bge1"        # macro for internal interface
  29.  dmz_if = "bge2"        # macro for dmz interface
  30.  vpn_if = "tap0"        # macro for OpenVPN interface
  31.  
  32. # External IP address
  33.  ext_ipv4 = "181.143.123.123"
  34.  ext_ipv6 = "2800:e7:a8:6123::4"
  35.  
  36. # Internet Control Message Protocol (ICMP) Parameters
  37. # http://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml
  38.  icmp_types = "{ 0, 3, 8, 11, 12 }"
  39. #
  40. # Internet Control Message Protocol version 6 (ICMPv6) Parameters
  41. # http://www.iana.org/assignments/icmpv6-parameters/icmpv6-parameters.xhtml
  42.  icmp6_types = "{ 1, 3, 4, 128, 133, 134, 135, 136 }"
  43.  
  44. # External Ports
  45.  ext_ports_tcp = "{ ssh, ntp, 9001, 9030, 9091 }"
  46.  ext_ports_udp = "{ ntp, openvpn }"
  47.  
  48. # Internal Ports
  49.  int_ports_tcp = "{ domain, bootps, dhcpv6-server, ntp, http, https, http-alt, \
  50.     smtp, smtps, pop3, pop3s, imap, imaps, ftp-data, ftp, ssh, cvsup, svn, \
  51.     3128, 3129, 3130, 9050, 8118, 8056, 2199, 8191, 82, 2087, 8081, 8333, 1157, \
  52.     2083, 8030, 9091, 10443, 3389, 8080, 81, 8086, 8000, 465, 587, 8444, \
  53.     9447, 7005, 115, 8030, 444, 2222, 2096, 8040, 2082, 8289, 3000, 8050, \
  54.     8051, 27643, 21234, 2086, 82, 8443, 4443, 7000, 8070, 8050, 9070 \
  55.     18080:18095, 8111, 34878, 93, 182, 8091, 8543, 18255, 2880, 8888, 33, \
  56.     13101, 9876, 9000, 8501, 8100, 2091, 2048, 2128, 2061, 2158, 2129, 2154, \
  57.     9443, 6969, 2969, 2139, 2460 }"
  58.  int_ports_udp = "{ domain, bootps, dhcpv6-server, ntp, openvpn, svn, sip, snmp\
  59.     8056, 500, 1000, 1000, 8289, 8291, 9000 }"
  60.  
  61. # NFS Server https://forums.freebsd.org/threads/5123
  62.  nfs_tcp = "{ sunrpc, nfsd-status,    nfsd, lockd, mdc-portmapper, cryptoadmin }"
  63.  nfs_udp = "{ sunrpc, nfsd-keepalive, nfsd, lockd, mdc-portmapper, cryptoadmin }"
  64.  
  65. # FTP Ports
  66.  ftp_ports_tcp = "{ ftp, 2134, 9070 }"
  67.  
  68. # Sony Anycast
  69.  sonyanycast_tcp = "1935"
  70.  
  71. # ShoutCast
  72.  shoutcast_tcp = "9306"
  73.  
  74. # Wowza https://www.wowza.com/resources/WowzaStreamingEngine_UsersGuide.pdf
  75. #wowza = "1935"
  76.  
  77. # Real-Time Messaging Protocol https://en.wikipedia.org/wiki/Real-Time_Messaging_Protocol
  78.  rtmp = "1935"
  79.  
  80. # Comrex ACCESS Rack & Portable 2USB http://www.comrex.com/wp-content/uploads/2015/11/4.0-ACCESS-Addendum.pdf
  81.  comrex_tcp = "{ 8080, 80, 8082, 8090 }"
  82.  comrex_udp = "{ 9000, 9001 }"
  83.  
  84. # Centova Cast http://www.centova.com/en/faq/cast3/information/configuring_a_firewall_for_centova_cast
  85.  centovacast_tcp = "{ 2199, 2197, 21, 80, 8000:10000 }"
  86.  centovacast_server = "62.210.203.78"
  87.  
  88. # Application Manager and Avid License Control http://avid.force.com/pkb/articles/en_US/troubleshooting/en436075
  89.  avidapplicationmanager_tcp = "{ 3443, 443, 96 }"
  90.  
  91. # AviWest http://www.aviwest.com/wp-content/uploads/2016/02/DMNG_StreamHub_Installation_Guide_EN_v4.pdf
  92.  aviwest_tcp = "8888"
  93.  aviwest_udp = "{ 7900:7904 }"
  94.  
  95. # Teradek Cube 655 https://support.teradek.com/hc/en-us/articles/225690067-What-network-ports-are-needed-for-streaming-with-Live-Air-and-Live-Air-Solo-
  96.  teradek_host = "{ 172.16.8.70, 172.16.8.71, 172.16.8.72, 172.16.8.92, 172.16.16.66 }"
  97.  teradek_tcp = "{ 1935, 80, 2543, 443, 6667 }"
  98.  teradek_udp = "{ 53, 5353, 554, 49513:65535, 21572 }"
  99.  
  100. # Datavideo NVS-25
  101.  datavideo_host = "172.16.16.68"
  102.  datavideo_tcp = "{ 1935, 80, 2543, 443, 6667, 8554, 8000, 8080,  554 }"
  103.  datavideo_udp = "{ 1935, 53, 5353, 554, 49513:65535, 21572, 8554 }"
  104.  
  105. # LiveU2000 (no esta funcionando las reglas)
  106. #liveu_host = "172.16.16.23"
  107. #liveu_tcp = "{ 53, 80, 443, 10020, 8400:8600, 1935, 18255, 8543, 8601:8608, 873, 1873, 22222, 5938, 8000:8007, 9000:9007, 7775, 1945, 18265 }"
  108. #liveu_udp = "{ 53, 8601:8608, 8609:8615, 8620:8667, 8000:8007, 9100:9109, 9110, 9101, 9000:9007, 9008:9011, 9104:9107 }"
  109.  
  110. # Ofimatica
  111. # Ofimatica http://www.ofimanet.com/OfimaBotInstaladores/OfimaBotEnterprise.pdf
  112. # ftp user:password@website.ofima.com:9070
  113. # OfimaWEB
  114.  ofimaweb_host = "172.16.3.3"
  115.  ofimaweb_tcp = "46046"
  116.  
  117. # P2P (firewall and P2P in same computer)
  118. #
  119. # Transmission Port: /usr/ports/net-p2p/transmission-daemon
  120. # Transmission (tcp 51413 defaul or tcp/udp range 49152:65535)
  121.  rpc_port_tcp = "9091"                   # Control web http://<ipserver>:9091
  122.  peer_port_tcp = "51413"
  123.  peer_port_range = "{ 49152:65535 }"
  124. #
  125. # P2P (P2P in another computer)
  126. #
  127. # eMule
  128. # (Server List http://emuling.net23.net/server.met Update)
  129. # (KAD: http://www.emule-mods.it/download/nodes.dat Bootstrap)
  130.  emule_client = "172.16.50.3"
  131.  emule_tcp = "4662"
  132.  emule_udp = "{ 4665, 4672, 65535 }"
  133.  
  134. # VoIP Calls APP
  135. #
  136. # Asterisk
  137.  asterisk_udp = "{ 5060, 10000:20000 }"
  138. #
  139. # Google Hangouts -> https://support.google.com/a/answer/1279090?hl=en
  140.  hangouts_tcp = "{ 19305:19309 }"
  141.  hangouts_udp = "{ 19302:19309 }"
  142. #
  143. # Viber -> http://www.viberfaq.com/why-cant-i-use-viber-on-some-wi-fi-networks
  144.  viber_tcp = "{ 5242, 4244 }"
  145.  viber_udp = "{ 5243, 9785 }"
  146. #
  147. # Line
  148. # LINE's system uses ports 80 and 443 of the TCP service.
  149. # LINE Free Call UDP 389, 443, 554, 9400:9420, 10000:60000
  150. # LINE Premium Call (paid service) UDP 10000:60000
  151. # el ultimo rango no lo puedo abrir al ser muchos puertos
  152.  line_tcp = "{ 80, 443 }"
  153.  line_udp = "{ 389, 443, 554, 9400:9420 }"
  154. #
  155. # https://www.quora.com/What-is-the-port-number-for-whatsapp
  156.  whatsapp_tcp = "{ 4244, 5222, 5223, 5228, 5242, 50318, 59234 }"
  157. #whatsapp_udp = "{ 34784, 45395, 50318, 59234, 40000:60000 }" # El rango es muy grande
  158.  whatsapp_udp = "{ 34784, 45395, 50318, 59234, 40000:40020 }" # Abro solo 20 puertos
  159. #
  160. # Panasonic -> http://ict3.com/Data/KX-TDE200/IP_Networking_Guide.pdf
  161. #panasonic_tcp = "{ }"
  162. #panasonic_udp = "{ 9300, 2727, 8000:8063 }"
  163. #
  164. # Instant Talk Mobile Tornado
  165.  instanttalk_tcp = "{ 8081, 26000, 843, 8082, 26001, 843 }"
  166.  instanttalk_udp = "{ 25000, 25001 }"
  167. #
  168. # Vidyo (VidyoConferencing Firewall Ports) -> http://www.vidyo.com/wp-content/uploads/VidyoConferencing_Admin_Guide_2.3-B.pdf
  169.  vidyo_tcp = "{ 80, 443, 17992, 17990 }"
  170.  vidyo_udp = "{ 50000:65535 }"
  171. #
  172. # FaceTime https://support.apple.com/en-us/HT202078
  173.  facetime_tcp = "{ 80, 443, 5223 }"
  174.  facetime_udp = "{ 3478:3497, 16384:16387, 16394:16402 }"
  175. #
  176. # iMessage
  177.  imessage_tcp = "{ 80, 443, 5223 }"
  178.  
  179. # Samba service
  180.  smb_tcp = "{ loc-srv, netbios-ssn, swat, microsoft-ds }"
  181.  smb_udp = "{ netbios-ns, netbios-dgm }"
  182.  
  183. # HostGator http://support.hostgator.com/articles/specialized-help/technical/commonly-used-port-numbers
  184.  hostgator_tcp = "{ 2082, 2083, 2086, 2087, 2095, 2096, \
  185.     110, 995, 143, 993, 25, 26, 587, 465, \
  186.     80, 443, 21, 990, 22, 2222, 2077, 2078, 3306, 1433, 22, 2222, \
  187.     8880, 8443, 9998, 4643, 9001, 80, 4489, 5100 }"
  188.  
  189. # Cisco VPN Client
  190.  ciscovpn_tcp = "10000"
  191.  ciscovpn_udp = "{ 500, 4500, 10000 }"
  192.  
  193. # Squid-cache test
  194. #                Carlos      Giovani       Sergio        Miguel
  195. #squid_ipv4 = "{ 172.16.8.4, 172.16.51.12, 172.16.51.70, 172.16.2.2 }"
  196.  squid_ipv4 = "{                                         172.16.2.2 }"
  197. #squid_ipv6 = "{ fc00::8:4,  fc00::2000,   fc00::18f4,   fc00::2:2 }"
  198.  squid_ipv6 = "{                                         fc00::2:2 }"
  199.  
  200. # EMG-12 S/N: M1232 05 Thernet Modbus Gateway
  201.  emg12_host = "172.16.23.100"
  202.  emg12_tcp = "2001"
  203.  
  204. # Datafono
  205.  datafono_tcp = "{ 443, 8080 }"
  206.  
  207. # Turibus
  208.  turibus_tcp = "{ 60391, 1433, 30074 }"
  209.  
  210. #-------------------------------------------------------------------------------
  211. # (2) PF: Tables
  212. #-------------------------------------------------------------------------------
  213.  
  214. # IPv4 RFCs
  215.  table <rfc1918> { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }
  216.  table <rfc3927> { 169.254.0.0/16 }
  217.  table <rfc5735> { 192.0.2.0/24 }
  218.  table <rfc3330> { 0.0.0.0/8 }
  219.  table <rfc6890> { 240.0.0.0/4 }
  220.  
  221. # IPv6 RFCs
  222.  table <rfc4193> { fc00::/7 }
  223.  
  224. # Examples
  225. #table <clients> { 192.168.2.0/24, !192.168.2.5 }
  226. #table <clients> persist file "/etc/clients"
  227.  
  228. # Blocklists
  229.  table <blocklist1>
  230.  table <blocklist2>
  231.  table <blocklist3>
  232.  
  233. # TOR list
  234.  table <torlist>
  235.  
  236. # Example for /etc/crontab
  237. #                                                          
  238. # Bocklist1
  239. #00 05 * * * root /usr/bin/fetch -o /tmp/blocklist1.txt https://lists.blocklist.de/lists/all.txt >/dev/null 2>&
  240. #10 05 * * * root /sbin/pfctl -t blocklist1 -T replace -f /tmp/blocklist1.txt >/dev/null 2>&1
  241.  
  242. #-------------------------------------------------------------------------------
  243. # (3) PF: Options
  244. #-------------------------------------------------------------------------------
  245.  
  246. # Misc Options
  247.  set skip on lo
  248.  set debug urgent
  249.  set block-policy drop
  250.  set loginterface $ext_if
  251.  set state-policy if-bound
  252.  set fingerprints "/etc/pf.os"
  253.  set ruleset-optimization basic
  254.  set optimization normal
  255.  set limit { states 1000000, frags 1000000, src-nodes 100000, table-entries 1000000 }
  256.  
  257. #-------------------------------------------------------------------------------
  258. # (4) PF: Packet Queueing and Priorization
  259. #-------------------------------------------------------------------------------
  260.  
  261. # No ALTQ support in GENERIC kernel, Build a Custom Kernel and Enabling ALTQ
  262.  
  263. # ISP Upload   = 60Mb/s (queue at 97%)
  264.  altq on $ext_if bandwidth 58.20Mb hfsc queue { ack1, dns1, ssh1, web1, mail1, bulk1, bittor1, spamd1 }
  265.   queue ack1         bandwidth 30% qlimit 500 hfsc (realtime   20%)
  266.   queue dns1         bandwidth  5% qlimit 500 hfsc (realtime    5%)
  267.   queue ssh1         bandwidth 20% qlimit 500 hfsc (realtime   20%) {ssh1_login1, ssh1_bulk1}
  268.    queue ssh1_login1 bandwidth 50% qlimit 500 hfsc
  269.    queue ssh1_bulk1  bandwidth 50% qlimit 500 hfsc
  270.   queue bulk1        bandwidth 20% qlimit 500 hfsc (realtime   20% default, ecn)
  271.   queue web1         bandwidth  5% qlimit 500 hfsc (realtime  (10%, 10000, 5%))
  272.   queue mail1        bandwidth  5% qlimit 500 hfsc (realtime    5%)
  273.   queue bittor1      bandwidth  1% qlimit 500 hfsc (upperlimit 95%)
  274.   queue spamd1       bandwidth  1% qlimit 500 hfsc (upperlimit 1Kb)
  275.  
  276. # ISP Download = 120Mb/s (queue at 97%)
  277.  altq on $int_if bandwidth 116.40Mb hfsc queue { ack2, dns2, ssh2, web2, mail2, bulk2, bittor2, spamd2 }
  278.   queue ack2         bandwidth 30% qlimit 500 hfsc (realtime   20%)
  279.   queue dns2         bandwidth  5% qlimit 500 hfsc (realtime    5%)
  280.   queue ssh2         bandwidth 20% qlimit 500 hfsc (realtime   20%) {ssh2_login2, ssh2_bulk2}
  281.    queue ssh2_login2 bandwidth 50% qlimit 500 hfsc
  282.    queue ssh2_bulk2  bandwidth 50% qlimit 500 hfsc
  283.   queue bulk2        bandwidth 20% qlimit 500 hfsc (realtime   20% default, ecn)
  284.   queue web2         bandwidth  5% qlimit 500 hfsc (realtime  (10%, 10000, 5%))
  285.   queue mail2        bandwidth  5% qlimit 500 hfsc (realtime    5%)
  286.   queue bittor2      bandwidth  1% qlimit 500 hfsc (upperlimit 95%)
  287.   queue spamd2       bandwidth  1% qlimit 500 hfsc (upperlimit 1Kb)
  288.  
  289. #-------------------------------------------------------------------------------
  290. # (5) PF: Netkwork Address Translation (NAT) and Packet Redirection
  291. #-------------------------------------------------------------------------------
  292.  
  293. # No nat for this IP
  294. #no nat                     on $ext_if inet                         from 172.16.52.198   to any
  295. #no nat                     on $ext_if inet6                        from fc00::1128      to any
  296.  
  297. # Internet (NAT IPv4 = yes | NAT IPv6 = yes)
  298.  nat                        on $ext_if inet                         from any             to any                     ->  $ext_ipv4
  299.  nat                        on $ext_if inet6                        from any             to any                     ->  $ext_ipv6
  300.  
  301. # OpenVPN
  302.  nat                        on $vpn_if inet                         from any             to any                     -> ($vpn_if:0)
  303.  nat                        on $vpn_if inet6                        from any             to any                     -> ($vpn_if:0)
  304.  
  305. # FTP-Proxy
  306.  nat-anchor "ftp-proxy/*"
  307.  rdr-anchor "ftp-proxy/*"
  308.  
  309. # Redirect FTP traffic to proxy (ftp-proxy)
  310.  rdr pass                   on $int_if inet  proto       tcp        from any             to any port $ftp_ports_tcp -> 127.0.0.1      port ftp-proxy
  311.  rdr pass                   on $int_if inet6 proto       tcp        from any             to any port $ftp_ports_tcp -> ::1            port ftp-proxy
  312.  
  313. #=================== SQUID =====================================
  314.  
  315. # Intercept HTTPS CONNECT messages with SSL-Bump
  316.  
  317. #rdr pass                   on $int_if inet  proto       tcp        from any             to any port https          -> 172.16.1.1     port 3130
  318. #rdr pass                   on $int_if inet6 proto       tcp        from any             to any port https          -> fc00::1:1      port 3130
  319.  
  320. #rdr pass                   on $int_if inet  proto       tcp        from $squid_ipv4     to any port https          -> 172.16.1.1     port 3130
  321. #rdr pass                   on $int_if inet6 proto       tcp        from $squid_ipv6     to any port https          -> fc00::1:1      port 3130
  322.  
  323. #=================== SQUID =====================================
  324.  
  325. # DC SSH (ssh user@domain.com -p 2222)
  326.  rdr pass                   on $ext_if inet  proto       tcp        from any             to port 2222               -> 172.16.3.1     port 22
  327.  rdr pass                   on $ext_if inet6 proto       tcp        from any             to port 2222               -> fc00::3:1      port 22
  328.  
  329. # NS1 SSH
  330.  rdr pass                   on $ext_if inet  proto       tcp        from any             to port 2223               -> 172.16.2.1     port 22
  331.  rdr pass                   on $ext_if inet6 proto       tcp        from any             to port 2223               -> fc00::2:1      port 22
  332.  
  333. # NS2 SSH
  334.  rdr pass                   on $ext_if inet  proto       tcp        from any             to port 2224               -> 172.16.2.2     port 22
  335.  rdr pass                   on $ext_if inet6 proto       tcp        from any             to port 2224               -> fc00::2:2      port 22
  336.  
  337. # Servidor temporal
  338.  rdr pass                   on $ext_if inet  proto       tcp        from any             to port 2225               -> 172.16.3.111   port 22
  339.  rdr pass                   on $ext_if inet6 proto       tcp        from any             to port 2225               -> fc00::3:111    port 22
  340.  
  341. # DC HTTP
  342.  rdr pass                   on $ext_if inet  proto       tcp        from any             to port http               -> 172.16.3.1     port http
  343.  rdr pass                   on $ext_if inet6 proto       tcp        from any             to port http               -> fc00::3:1      port http
  344.  
  345. # DC HTTPS
  346.  rdr pass                   on $ext_if inet  proto       tcp        from any             to port https              -> 172.16.3.1     port https
  347.  rdr pass                   on $ext_if inet6 proto       tcp        from any             to port https              -> fc00::3:1      port https
  348.  
  349. # DC PostgreSQL
  350.  rdr pass                   on $ext_if inet  proto       tcp        from any             to port postgresql         -> 172.16.3.1     port postgresql
  351.  rdr pass                   on $ext_if inet6 proto       tcp        from any             to port postgresql         -> fc00::3:1      port postgresql
  352.  
  353. # UPS APC
  354.  rdr pass                   on $ext_if inet  proto       tcp        from any             to port 81                 -> 172.16.22.1    port 80
  355.  
  356. # UPS ALPHA
  357.  rdr pass                   on $ext_if inet  proto       tcp        from any             to port 82                 -> 172.16.22.2    port 80
  358.  
  359. # UPS Emerson
  360.  rdr pass                   on $ext_if inet  proto       tcp        from any             to port 83                 -> 172.16.22.3    port 80
  361.  
  362. # AIRE Jhonson Controller
  363.  rdr pass                   on $ext_if inet  proto       tcp        from any             to port 85                 -> 172.16.18.1    port 80
  364.  
  365. # Receptor Tandberg RX8200
  366. #rdr pass                   on $ext_if inet  proto       tcp        from any             to port 86                 -> 172.16.16.65   port 80
  367.  
  368. # Receptor Tandberg RX8200
  369. #rdr pass                   on $ext_if inet  proto       tcp        from any             to port 87                 -> 172.16.16.64   port 80
  370.  
  371. # Matrox Monarch MGX1920 S/N: BP81698
  372.  rdr pass                   on $ext_if inet  proto       tcp        from any             to port 88                 -> 172.16.16.66   port 80
  373.  
  374. # Data Video
  375.  rdr pass                   on $ext_if inet  proto       tcp        from any             to port 89                 -> 172.16.16.68   port 80
  376.  
  377. # Redireccion Escritorio Remoto Windows (FOXTROT)
  378.  rdr pass                   on $ext_if inet  proto       tcp        from any             to port 3389               -> 172.16.3.3     port 3389
  379.  
  380. # Redireccion Escritorio Remoto Windows (MXL7012PZ3)
  381.  rdr pass                   on $ext_if inet  proto       tcp        from any             to port 3390               -> 172.16.8.32    port 3389
  382.  
  383. # HP Compaq Pro 6300 SFF MXL2491K5M (Carlos Duque)
  384.  rdr pass                   on $ext_if inet  proto       tcp        from any             to port 3391               -> 172.16.9.4     port 3389
  385.  
  386. # HP Compaq Elite 8300 Convertible Microtower S/N: MXL3151M2M
  387. # Windows Remote Desktop
  388.  rdr pass                   on $ext_if inet  proto       tcp        from any             to port 3392               -> 172.16.8.47    port 3389
  389.  rdr pass                   on $ext_if inet6 proto       tcp        from any             to port 3392               -> fc00::8:47     port 3389
  390. # RealVNC
  391.  rdr pass                   on $ext_if inet  proto       tcp        from any             to port 5900               -> 172.16.8.47    port 5900
  392.  rdr pass                   on $ext_if inet6 proto       tcp        from any             to port 5900               -> fc00::8:47     port 5900
  393.  
  394. # Clear-Com -> IVC32
  395.  rdr pass                   on $ext_if inet  proto     { tcp, udp } from any             to port 6001               -> 172.16.16.41   port 6001
  396.  
  397. # ConcertPC -> ConcertServer (CentOS)
  398.  rdr pass                   on $ext_if inet  proto     { tcp, udp } from any             to port 6002               -> 172.16.16.47   port 6001
  399.  
  400. # Panasonic KX-TDE200BX
  401. #rdr pass                   on $ext_if inet  proto       tcp        from any             to port $panasonic_udp     -> 172.16.12.1
  402.  
  403. # Control
  404.  rdr pass                   on $ext_if inet  proto       tcp        from any             to port 554                -> 172.16.16.16   port 554
  405.  
  406. # Link Electronics SCE-492 S/N: 171 (Closed Caption)
  407.  rdr pass                   on $ext_if inet  proto       tcp        from any             to port 10001              -> 172.16.16.59
  408.  
  409. # HP HP Compaq d220 MT S/N: MXD412067V
  410.  rdr pass                   on $ext_if inet  proto     { tcp, udp } from any             to port 5003               -> 172.16.8.48
  411.  
  412. # Asterisk
  413.  rdr pass                   on $ext_if inet  proto            udp   from any             to port $asterisk_udp      -> 172.16.3.1
  414.  rdr pass                   on $ext_if inet6 proto            udp   from any             to port $asterisk_udp      -> fc00::3:1
  415.  
  416. # eMule
  417.  rdr pass                   on $ext_if inet  proto       tcp        from any             to port $emule_tcp         -> $emule_client
  418.  rdr pass                   on $ext_if inet  proto            udp   from any             to port $emule_udp         -> $emule_client
  419.  
  420. # Liveu2000 (no esta funcionando las reglas)
  421. #rdr pass                   on $ext_if inet  proto       tcp        from any             to port $liveu_tcp         -> $liveu_host
  422. #rdr pass                   on $ext_if inet  proto            udp   from any             to port $liveu_udp         -> $liveu_host
  423.  
  424. # OfimaWEB
  425.  rdr pass                   on $ext_if inet  proto       tcp        from any             to port $ofimaweb_tcp      -> $ofimaweb_host
  426.  
  427. # EMG-12 S/N: M1232 05 Thernet Modbus Gateway
  428.  rdr pass                   on $ext_if inet  proto       tcp        from any             to port $emg12_tcp         -> $emg12_host
  429.  
  430. #-------------------------------------------------------------------------------
  431. # (6) PF: Packet Filtering
  432. #-------------------------------------------------------------------------------
  433.  
  434. # FTP-Proxy
  435. # We need to have an anchor for ftp-proxy
  436.  anchor "ftp-proxy/*"
  437.  
  438. # Blocking Spoofed Packets (Paquetes Falsificados)
  439. # https://home.nuug.no/~peter/pf/newest/antispoof.html
  440.  antispoof for $ext_if
  441.  antispoof for $int_if
  442.  
  443. # Default block all
  444.  block            log all
  445.  
  446. #-------------------------------------------------------------------------------
  447. # Filter rules for $ext_if inbound
  448.  
  449. # Temporarily allow all, do not leave active!
  450. #pass         in  log       on $ext_if inet  proto       tcp        from any             to any
  451. #pass         in  log       on $ext_if inet6 proto       tcp        from any             to any
  452. #pass         in  log       on $ext_if inet  proto            udp   from any             to any
  453. #pass         in  log       on $ext_if inet6 proto            udp   from any             to any
  454.  
  455. # SSH
  456.  pass         in  log       on $ext_if inet  proto       tcp        from any             to port ssh
  457.  pass         in  log       on $ext_if inet6 proto       tcp        from any             to port ssh
  458.  
  459. # Web
  460.  pass         in  log       on $ext_if inet  proto       tcp        from any             to any port { http, https }
  461.  pass         in  log       on $ext_if inet6 proto       tcp        from any             to any port { http, https }
  462.  
  463. # External Ports
  464.  pass         in  log       on $ext_if inet  proto       tcp        from any             to any port $ext_ports_tcp
  465.  pass         in  log       on $ext_if inet6 proto       tcp        from any             to any port $ext_ports_tcp
  466.  pass         in  log       on $ext_if inet  proto            udp   from any             to any port $ext_ports_udp
  467.  pass         in  log       on $ext_if inet6 proto            udp   from any             to any port $ext_ports_udp
  468.  
  469. # Allow in the default range for traceroute(8)
  470. # "base+nhops*nqueries-1" (33434+64*3-1)
  471.  pass         in  log       on $ext_if inet  proto            udp   from any             to any port 33434:33625
  472.  pass         in  log       on $ext_if inet6 proto            udp   from any             to any port 33434:33625
  473.  
  474. # Allow in  ICMP Traffic
  475.  pass         in  log quick on $ext_if inet  proto icmp  icmp-type  $icmp_types
  476.  pass         in  log quick on $ext_if inet6 proto icmp6 icmp6-type $icmp6_types
  477.  
  478. # IPv4 RFCs
  479.  block drop   in  log quick on $ext_if inet                         from { <rfc1918>, <rfc3927>, <rfc5735>, <rfc3330>, <rfc6890> }
  480.  
  481. # IPv6 RFCs
  482.  block drop   in  log quick on $ext_if inet6                        from { <rfc4193> }
  483.  
  484. # Examples
  485. #pass         in  log       on $ext_if inet                         from { <clients> }
  486.  
  487. # Blocklists
  488.  block drop   in  log quick on $ext_if inet                         from { <blocklist1>, <blocklist2>, <blocklist3> }
  489.  block drop   in  log quick on $ext_if inet6                        from { <blocklist1>, <blocklist2>, <blocklist3> }
  490.  
  491. # TOR list
  492. #block drop   in  log quick on $ext_if inet                         from <torlist>
  493. #block drop   in  log quick on $ext_if inet6                        from <torlist>
  494.  
  495. #-------------------------------------------------------------------------------
  496. # Filter rules for $ext_if outbound
  497.  
  498. # Server out to all                                                                                                                                          # Upload   (1)
  499.  pass         out log       on $ext_if inet  proto       tcp        from ($ext_if)       to any                                                              queue (bulk1, ack1)
  500.  pass         out log       on $ext_if inet6 proto       tcp        from ($ext_if)       to any                                                              queue (bulk1, ack1)
  501.  pass         out log       on $ext_if inet  proto            udp   from ($ext_if)       to any                                                              queue (bulk1, ack1)
  502.  pass         out log       on $ext_if inet6 proto            udp   from ($ext_if)       to any                                                              queue (bulk1, ack1)
  503.  
  504. # SSH
  505.  pass         out log       on $ext_if inet  proto       tcp        from ($ext_if)       to any port ssh                                                     queue (ssh1_bulk1, ssh1_login1)
  506.  pass         out log       on $ext_if inet6 proto       tcp        from ($ext_if)       to any port ssh                                                     queue (ssh1_bulk1, ssh1_login1)
  507.  
  508. # Web
  509.  pass         out log       on $ext_if inet  proto       tcp        from ($ext_if)       to any port { http, https }                                         queue (web1, ack1)
  510.  pass         out log       on $ext_if inet6 proto       tcp        from ($ext_if)       to any port { http, https }                                         queue (web1, ack1)
  511.  
  512. # Mail
  513.  pass         out log       on $ext_if inet  proto       tcp        from ($ext_if)       to any port { smtp, smtps, pop3, pop3s, imap, imaps, 465, 587 }     queue (mail1, ack1)
  514.  pass         out log       on $ext_if inet6 proto       tcp        from ($ext_if)       to any port { smtp, smtps, pop3, pop3s, imap, imaps, 465, 587 }     queue (mail1, ack1)
  515.  
  516. # DNS
  517.  pass         out log       on $ext_if inet  proto            udp   from ($ext_if)       to any port domain                                                  queue (dns1, ack1)
  518.  pass         out log       on $ext_if inet6 proto            udp   from ($ext_if)       to any port domain                                                  queue (dns1, ack1)
  519.  
  520. # All other UDP
  521.  pass         out log       on $ext_if inet  proto            udp   from ($ext_if)       to any                                                              queue (bulk1, ack1)
  522.  pass         out log       on $ext_if inet6 proto            udp   from ($ext_if)       to any                                                              queue (bulk1, ack1)
  523.  
  524. # Allow in the default range for traceroute(8)
  525. # "base+nhops*nqueries-1" (33434+64*3-1)
  526.  pass         out log       on $ext_if inet  proto            udp   from ($ext_if)       to any port 33434:33625                                             queue (ack1)
  527.  pass         out log       on $ext_if inet6 proto            udp   from ($ext_if)       to any port 33434:33625                                             queue (ack1)
  528.  
  529. # Allow out ICMP Traffic
  530.  pass         out log quick on $ext_if inet  proto icmp  icmp-type  $icmp_types                                                                              queue (ack1)
  531.  pass         out log quick on $ext_if inet6 proto icmp6 icmp6-type $icmp6_types                                                                             queue (ack1)
  532.  
  533. # IPv4 RFCs
  534.  block drop   out log quick on $ext_if inet                         from { <rfc1918>, <rfc3927>, <rfc5735>, <rfc3330>, <rfc6890> }
  535.  
  536. # IPv6 RFCs
  537.  block drop   out log quick on $ext_if inet6                        from { <rfc4193> }
  538.  
  539. # Examples
  540. #pass         out log       on $ext_if inet                         from { <clients> }
  541.  
  542. # Blocklists
  543.  block drop   out log quick on $ext_if inet                         from { <blocklist1>, <blocklist2>, <blocklist3> }
  544.  block drop   out log quick on $ext_if inet6                        from { <blocklist1>, <blocklist2>, <blocklist3> }
  545.  
  546. # TOR list
  547. #block drop   out log quick on $ext_if inet                         from <torlist>
  548. #block drop   out log quick on $ext_if inet6                        from <torlist>
  549.  
  550. #-------------------------------------------------------------------------------
  551. # Filter rules for $int_if inbound
  552.  
  553. # Temporarily allow all, do not leave active!
  554. #pass         in  log       on $int_if inet  proto       tcp        from  any            to any
  555. #pass         in  log       on $int_if inet6 proto       tcp        from  any            to any
  556. #pass         in  log       on $int_if inet  proto            udp   from  any            to any
  557. #pass         in  log       on $int_if inet6 proto            udp   from  any            to any
  558.  
  559. # Temporarily allow all to one computer
  560.  pass         in  log       on $int_if inet  proto       tcp        from  172.16.12.214  to any
  561. #pass         in  log       on $int_if inet6 proto       tcp        from  fc00::1d8e     to any
  562.  pass         in  log       on $int_if inet  proto            udp   from  172.16.12.214  to any
  563. #pass         in  log       on $int_if inet6 proto            udp   from  fc00::1d8e     to any
  564.  
  565. # Internal Ports
  566.  pass         in  log       on $int_if inet  proto       tcp        from  any            to any port $int_ports_tcp
  567.  pass         in  log       on $int_if inet6 proto       tcp        from  any            to any port $int_ports_tcp
  568.  pass         in  log       on $int_if inet  proto            udp   from  any            to any port $int_ports_udp
  569.  pass         in  log       on $int_if inet6 proto            udp   from  any            to any port $int_ports_udp
  570.  
  571. # Allow in the default range for traceroute(8)
  572. # "base+nhops*nqueries-1" (33434+64*3-1)
  573.  pass         in  log       on $int_if inet  proto            udp   from  any            to any port 33434:33625
  574.  pass         in  log       on $int_if inet6 proto            udp   from  any            to any port 33434:33625
  575.  
  576. # VoIP Calls APP
  577. #
  578. # Google Hangouts
  579.  pass         in  log       on $int_if inet  proto       tcp        from  any            to any port $hangouts_tcp
  580.  pass         in  log       on $int_if inet6 proto       tcp        from  any            to any port $hangouts_tcp
  581.  pass         in  log       on $int_if inet  proto            udp   from  any            to any port $hangouts_udp
  582.  pass         in  log       on $int_if inet6 proto            udp   from  any            to any port $hangouts_udp
  583. #
  584. # Viber
  585. #pass         in  log       on $int_if inet  proto       tcp        from  any            to any port $viber_tcp
  586. #pass         in  log       on $int_if inet6 proto       tcp        from  any            to any port $viber_tcp
  587. #pass         in  log       on $int_if inet  proto            udp   from  any            to any port $viber_udp
  588. #pass         in  log       on $int_if inet6 proto            udp   from  any            to any port $viber_udp
  589. #
  590. # Line
  591. #pass         in  log       on $int_if inet  proto       tcp        from  any            to any port $line_tcp
  592. #pass         in  log       on $int_if inet6 proto       tcp        from  any            to any port $line_tcp
  593. #pass         in  log       on $int_if inet  proto            udp   from  any            to any port $line_udp
  594. #pass         in  log       on $int_if inet6 proto            udp   from  any            to any port $line_udp
  595. #
  596. # WhatsApp
  597.  pass         in  log       on $int_if inet  proto       tcp        from  any            to any port $whatsapp_tcp
  598.  pass         in  log       on $int_if inet6 proto       tcp        from  any            to any port $whatsapp_tcp
  599.  pass         in  log       on $int_if inet  proto            udp   from  any            to any port $whatsapp_udp
  600.  pass         in  log       on $int_if inet6 proto            udp   from  any            to any port $whatsapp_udp
  601. #
  602. # Instant Talk Mobile Tornado
  603. #pass         in  log       on $int_if inet  proto       tcp        from  any            to any port $instanttalk_tcp
  604. #pass         in  log       on $int_if inet6 proto       tcp        from  any            to any port $instanttalk_tcp
  605. #pass         in  log       on $int_if inet  proto            udp   from  any            to any port $instanttalk_udp
  606. #pass         in  log       on $int_if inet6 proto            udp   from  any            to any port $instanttalk_udp
  607. #
  608. # Vidyo
  609. #pass         in  log       on $int_if inet  proto       tcp        from  any            to any port $vidyo_tcp
  610. #pass         in  log       on $int_if inet6 proto       tcp        from  any            to any port $vidyo_tcp
  611. #pass         in  log       on $int_if inet  proto            udp   from  any            to any port $vidyo_udp
  612. #pass         in  log       on $int_if inet6 proto            udp   from  any            to any port $vidyo_udp
  613. #
  614. # FaceTime
  615.  pass         in  log       on $int_if inet  proto       tcp        from  any            to any port $facetime_tcp
  616.  pass         in  log       on $int_if inet6 proto       tcp        from  any            to any port $facetime_tcp
  617.  pass         in  log       on $int_if inet  proto            udp   from  any            to any port $facetime_udp
  618.  pass         in  log       on $int_if inet6 proto            udp   from  any            to any port $facetime_udp
  619. #
  620. # iMessage
  621.  pass         in  log       on $int_if inet  proto       tcp        from  any            to any port $imessage_tcp
  622.  pass         in  log       on $int_if inet6 proto       tcp        from  any            to any port $imessage_tcp
  623.  
  624. # SAMBA from LAN
  625.  pass         in  log       on $int_if inet  proto       tcp        from  any            to any port $smb_tcp
  626.  pass         in  log       on $int_if inet6 proto       tcp        from  any            to any port $smb_tcp
  627.  pass         in  log       on $int_if inet  proto            udp   from  any            to any port $smb_udp
  628.  pass         in  log       on $int_if inet6 proto            udp   from  any            to any port $smb_udp
  629.  
  630. # HostGator
  631.  pass         in  log       on $int_if inet  proto       tcp        from  any            to any port $hostgator_tcp
  632.  pass         in  log       on $int_if inet6 proto       tcp        from  any            to any port $hostgator_tcp
  633.  
  634. # Cisco VPN Client
  635.  pass         in  log       on $int_if inet  proto       tcp        from  any            to any port $ciscovpn_tcp
  636.  pass         in  log       on $int_if inet6 proto       tcp        from  any            to any port $ciscovpn_tcp
  637.  pass         in  log       on $int_if inet  proto            udp   from  any            to any port $ciscovpn_udp
  638.  pass         in  log       on $int_if inet6 proto            udp   from  any            to any port $ciscovpn_udp
  639.  
  640. # NFS
  641.  pass         in  log       on $int_if inet  proto       tcp        from  any            to any port $nfs_tcp
  642.  pass         in  log       on $int_if inet6 proto       tcp        from  any            to any port $nfs_tcp
  643.  pass         in  log       on $int_if inet  proto            udp   from  any            to any port $nfs_udp
  644.  pass         in  log       on $int_if inet6 proto            udp   from  any            to any port $nfs_udp
  645.  
  646. # Sony Anycast
  647.  pass         in  log       on $int_if inet  proto       tcp        from  any            to any port $sonyanycast_tcp
  648.  pass         in  log       on $int_if inet6 proto       tcp        from  any            to any port $sonyanycast_tcp
  649.  
  650. # ShoutCast
  651.  pass         in  log       on $int_if inet  proto       tcp        from  any            to any port $shoutcast_tcp
  652.  pass         in  log       on $int_if inet6 proto       tcp        from  any            to any port $shoutcast_tcp
  653.  
  654. # Wowza
  655. #pass         in  log       on $int_if inet  proto       tcp        from  any            to any port $wowza
  656. #pass         in  log       on $int_if inet6 proto       tcp        from  any            to any port $wowza
  657.  
  658.  # Real-Time Messaging Protocol
  659.  pass         in  log       on $int_if inet  proto       tcp        from  any            to any port $rtmp
  660.  pass         in  log       on $int_if inet6 proto       tcp        from  any            to any port $rtmp
  661.  
  662. # Comrex ACCESS Rack & Portable 2USB
  663.  pass         in  log       on $int_if inet  proto       tcp        from  any            to any port $comrex_tcp
  664.  pass         in  log       on $int_if inet6 proto       tcp        from  any            to any port $comrex_tcp
  665.  pass         in  log       on $int_if inet  proto            udp   from  any            to any port $comrex_udp
  666.  pass         in  log       on $int_if inet6 proto            udp   from  any            to any port $comrex_udp
  667.  
  668. # Centova Cast
  669.  pass         in  log       on $int_if inet  proto       tcp        from  any            to $centovacast_server port $centovacast_tcp
  670.  
  671. # Application Manager and Avid License Control
  672.  pass         in  log       on $int_if inet  proto       tcp        from  any            to any port $avidapplicationmanager_tcp
  673.  pass         in  log       on $int_if inet6 proto       tcp        from  any            to any port $avidapplicationmanager_tcp
  674.  
  675. # Aviwest
  676.  pass         in  log       on $int_if inet  proto       tcp        from  any            to any port $aviwest_tcp
  677.  pass         in  log       on $int_if inet6 proto       tcp        from  any            to any port $aviwest_tcp
  678.  pass         in  log       on $int_if inet  proto            udp   from  any            to any port $aviwest_udp
  679.  pass         in  log       on $int_if inet6 proto            udp   from  any            to any port $aviwest_udp
  680.  
  681. # Teradek Cube 655
  682.  pass         in  log       on $int_if inet  proto       tcp        from  $teradek_host  to any port $teradek_tcp
  683.  pass         in  log       on $int_if inet  proto            udp   from  $teradek_host  to any port $teradek_udp
  684.  
  685. # Datavideo NVS-25
  686.  pass         in  log       on $int_if inet  proto       tcp        from  $datavideo_host  to any port $datavideo_tcp
  687.  pass         in  log       on $int_if inet  proto            udp   from  $datavideo_host  to any port $datavideo_udp
  688.  
  689. # LiveU2000 (no esta funcionando las reglas)
  690. #pass         in  log       on $int_if inet  proto       tcp        from  $liveu_host    to any port $liveu_tcp
  691. #pass         in  log       on $int_if inet  proto            udp   from  $liveu_host    to any port $liveu_udp
  692.  
  693. # OfimaWEB
  694.  pass         in  log       on $int_if inet  proto       tcp        from  $ofimaweb_host to any port $ofimaweb_tcp
  695.  
  696. # EMG-12 S/N: M1232 05 Thernet Modbus Gateway
  697.  pass         in  log       on $int_if inet  proto       tcp        from  $emg12_host    to any port $emg12_tcp
  698.  
  699. # Datafono
  700.  pass         in  log       on $int_if inet  proto       tcp        from  any            to any port $datafono_tcp
  701.  pass         in  log       on $int_if inet6 proto       tcp        from  any            to any port $datafono_tcp
  702.  
  703. # Turibus
  704.  pass         in  log       on $int_if inet  proto       tcp        from  any            to any port $turibus_tcp
  705.  pass         in  log       on $int_if inet6 proto       tcp        from  any            to any port $turibus_tcp
  706.  
  707. # Allow in  ICMP Traffic
  708.  pass         in  log quick on $int_if inet  proto icmp  icmp-type  $icmp_types
  709.  pass         in  log quick on $int_if inet6 proto icmp6 icmp6-type $icmp6_types
  710.  
  711. #-------------------------------------------------------------------------------
  712. # Filter rules for $int_if outbound
  713.  
  714. # Server out to all                                                                                                                                          # Download (2)
  715.  pass         out log       on $int_if inet  proto       tcp        from  any            to any                                                              queue (bulk2, ack2)
  716.  pass         out log       on $int_if inet6 proto       tcp        from  any            to any                                                              queue (bulk2, ack2)
  717.  pass         out log       on $int_if inet  proto            udp   from  any            to any                                                              queue (bulk2, ack2)
  718.  pass         out log       on $int_if inet6 proto            udp   from  any            to any                                                              queue (bulk2, ack2)
  719.  
  720. # SSH
  721.  pass         out log       on $int_if inet  proto       tcp        from  any            to any port ssh                                                     queue (ssh2_bulk2, ssh2_login2)
  722.  pass         out log       on $int_if inet6 proto       tcp        from  any            to any port ssh                                                     queue (ssh2_bulk2, ssh2_login2)
  723.  
  724. # Web
  725.  pass         out log       on $int_if inet  proto       tcp        from  any            to any port { http, https }                                         queue (web2, ack2)
  726.  pass         out log       on $int_if inet6 proto       tcp        from  any            to any port { http, https }                                         queue (web2, ack2)
  727.  
  728. # Mail
  729.  pass         out log       on $int_if inet  proto       tcp        from  any            to any port { smtp, smtps, pop3, pop3s, imap, imaps, 465, 587 }     queue (mail2, ack2)
  730.  pass         out log       on $int_if inet6 proto       tcp        from  any            to any port { smtp, smtps, pop3, pop3s, imap, imaps, 465, 587 }     queue (mail2, ack2)
  731.  
  732. # DNS
  733.  pass         out log       on $int_if inet  proto       tcp        from  any            to any port domain                                                  queue (dns2, ack2)
  734.  pass         out log       on $int_if inet6 proto       tcp        from  any            to any port domain                                                  queue (dns2, ack2)
  735.  
  736. # Allow in the default range for traceroute(8)
  737. # "base+nhops*nqueries-1" (33434+64*3-1)
  738.  pass         out log       on $int_if inet  proto            udp   from  any            to any port 33434:33625                                             queue (ack2)
  739.  pass         out log       on $int_if inet6 proto            udp   from  any            to any port 33434:33625                                             queue (ack2)
  740.  
  741. # Allow out ICMP Traffic
  742.  pass         out log quick on $int_if inet  proto icmp  icmp-type  $icmp_types                                                                              queue (ack2)
  743.  pass         out log quick on $int_if inet6 proto icmp6 icmp6-type $icmp6_types                                                                             queue (ack2)
  744.  
  745. #-------------------------------------------------------------------------------
  746. # Filter rules for $dmz_if inbound
  747.  
  748. # Future rules here
  749.  
  750. #-------------------------------------------------------------------------------
  751. # Filter rules for $int_if_dmz outbound
  752.  
  753. # Future rules here
  754.  
  755. #-------------------------------------------------------------------------------
  756. # Filter rules for $vpn_if inbound
  757.  
  758. # Allow in all
  759.  pass         in  log       on $vpn_if inet  proto       tcp        from any             to any
  760.  pass         in  log       on $vpn_if inet6 proto       tcp        from any             to any
  761.  pass         in  log       on $vpn_if inet  proto            udp   from any             to any
  762.  pass         in  log       on $vpn_if inet6 proto            udp   from any             to any
  763.  
  764. # Allow in  ICMP Traffic
  765.  pass         in  log quick on $vpn_if inet  proto icmp  icmp-type  $icmp_types
  766.  pass         in  log quick on $vpn_if inet6 proto icmp6 icmp6-type $icmp6_types
  767.  
  768. #-------------------------------------------------------------------------------
  769. # Filter rules for $vpn_if outbound
  770.  
  771. # Allow out all
  772.  pass         out log       on $vpn_if inet  proto       tcp        from any             to any
  773.  pass         out log       on $vpn_if inet6 proto       tcp        from any             to any
  774.  pass         out log       on $vpn_if inet  proto            udp   from any             to any
  775.  pass         out log       on $vpn_if inet6 proto            udp   from any             to any
  776.  
  777. # Allow out ICMP Traffic
  778.  pass         out log quick on $vpn_if inet  proto icmp  icmp-type  $icmp_types
  779.  pass         out log quick on $vpn_if inet6 proto icmp6 icmp6-type $icmp6_types
  780.  
  781. #-------------------------------------------------------------------------------
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!
 
Top