Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # $OpenBSD: pf.conf,v 1.37 2008/05/09 06:04:08 reyk Exp $
- #
- # See pf.conf(5) for syntax and examples.
- # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
- # in /etc/sysctl.conf if packets are to be forwarded between interfaces.
- # Macros: define common values, so they can be referenced and changed easily.
- ext_if="sk0" # replace with actual external interface name i.e., dc0
- vpn_if="nfe0"
- int_if="em0" # replace with actual internal interface name i.e., dc1
- vpn_gw="192.168.0.1"
- ext_gw="192.168.10.1"
- tcp_services = "{ 22, 113 }"
- icmp_types = "echoreq"
- priv_nets = "{ 127.0.0.0/8, 192.168.1.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
- local_net = "192.168.6.0/24"
- postfix = "192.168.0.2"
- wall = "192.168.6.6"
- server = "192.168.6.8"
- wall_allowed_ports = "{ 22, 443 }"
- postfix_allowed_ports = "{ 25, 10025 }"
- #
- # options
- #
- set block-policy drop
- set loginterface $ext_if
- #set state-policy if-bound
- #
- # scrub
- #
- scrub in all
- #
- # nat/rdr
- #
- nat on $ext_if from $local_net to any -> ($ext_if)
- nat on $vpn_if from $local_net to any -> ($vpn_if)
- nat-anchor "ftp-proxy/*"
- rdr-anchor "ftp-proxy/*"
- rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
- # moving services to the boxes receiving them
- rdr on $ext_if proto tcp from any to any port 22 -> $wall port 22
- rdr on $vpn_if proto tcp from any to any port 22 -> $wall port 22
- rdr on $vpn_if proto tcp from any to any port 443 -> $wall port 443
- rdr on $vpn_if proto tcp from any to any port 25 -> $postfix port 25
- rdr on $int_if proto tcp from $server to $postfix port 25 -> $postfix port 10025
- #
- # filter rules
- #
- block log on $ext_if all
- block log on $vpn_if all
- anchor "ftp-proxy/*"
- pass quick on lo0 all
- # block drop in log quick on $ext_if from $priv_nets to any
- # block drop out log quick on $ext_if from any to $priv_nets
- # pass in inet proto icmp all icmp-type $icmp_types
- pass in on $int_if from $int_if:network to any
- pass out on $int_if from any to $int_if:network
- #send all traffic from the server out vpn_if
- pass in log on $int_if route-to ($vpn_if $vpn_gw) proto tcp from $server to !$local_net flags S/SA modulate state
- pass in log on $int_if route-to ($vpn_if $vpn_gw) proto { udp, icmp } from $server to !$local_net
- pass out log on $ext_if proto tcp from !$vpn_if to any modulate state flags S/SA
- pass out log on $ext_if proto { udp, icmp } from !$vpn_if to any
- pass out log on $vpn_if proto tcp from !$ext_if to any modulate state flags S/SA
- pass out log on $vpn_if proto { udp, icmp } from !$ext_if to any
- #
- # site specific
- # here we allow for the services defined above
- #
- pass in log on $ext_if inet proto tcp from any to $wall port $wall_allowed_ports flags S/SA
- pass in log on $vpn_if reply-to ($vpn_if $vpn_gw) inet proto tcp from any to $wall port $wall_allowed_ports flags S/SA keep state
- pass in log on $vpn_if reply-to ($vpn_if $vpn_gw) inet proto tcp from any to $postfix port $postfix_allowed_ports flags S/SA keep state
- pass in log on $int_if inet proto tcp from any to $postfix port $postfix_allowed_ports flags S/SA keep state
- #
- # OPENVPN
- #
- pass in log on $vpn_if reply-to ($vpn_if $vpn_gw) proto { tcp, udp } from any to any port 1194
- pass out log on $vpn_if route-to ($vpn_if $vpn_gw) proto { tcp, udp } from any port 1194 to any
- #
- # SSL Web Proxy
- #
- #pass out quick log on $ext_if route-to ($vpn_if $vpn_gw) inet proto tcp from $wall port 443 to any
- #pass out quick log on $ext_if route-to ($vpn_if $vpn_gw) inet proto tcp from $wall port 1194 to any
- #smtp rule
- #pass out quick log on $ext_if route-to ($vpn_if $vpn_gw) proto tcp from $ext_if to any port 25 flags S/SA keep state
- #
- # handle both interfaces
- #
- pass out quick log on $ext_if route-to ($vpn_if $vpn_gw) from $vpn_if to any
- pass out quick log on $vpn_if route-to ($ext_if $ext_gw) from $ext_if to any
- pass out quick log on $vpn_if route-to ($vpn_if $vpn_gw) proto { tcp, udp } from any port 1194 to any
Add Comment
Please, Sign In to add comment