Untitled

#       $OpenBSD: pf.conf,v 1.37 2008/05/09 06:04:08 reyk Exp $
#
# See pf.conf(5) for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.

# Macros: define common values, so they can be referenced and changed easily.
ext_if="sk0"    # replace with actual external interface name i.e., dc0
vpn_if="nfe0"
int_if="em0"    # replace with actual internal interface name i.e., dc1
vpn_gw="192.168.0.1"
ext_gw="192.168.10.1"

tcp_services    = "{ 22, 113 }"
icmp_types      = "echoreq"

priv_nets       = "{ 127.0.0.0/8, 192.168.1.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
local_net       = "192.168.6.0/24"

postfix = "192.168.0.2"
wall = "192.168.6.6"
server = "192.168.6.8"

wall_allowed_ports = "{ 22, 443 }"
postfix_allowed_ports = "{ 25, 10025 }"

#
# options
#
set block-policy drop
set loginterface $ext_if
#set state-policy if-bound

#
# scrub
#
scrub in all

#
# nat/rdr
#
nat on $ext_if from $local_net to any -> ($ext_if)
nat on $vpn_if from $local_net to any -> ($vpn_if)

nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021

# moving services to the boxes receiving them
rdr on $ext_if proto tcp from any       to any  port 22         -> $wall        port 22
rdr on $vpn_if proto tcp from any       to any  port 22         -> $wall        port 22
rdr on $vpn_if proto tcp from any       to any  port 443        -> $wall        port 443
rdr on $vpn_if proto tcp from any       to any  port 25         -> $postfix     port 25
rdr on $int_if proto tcp from $server   to $postfix     port 25         -> $postfix     port 10025

#
# filter rules
#
block log on $ext_if all
block log on $vpn_if all

anchor "ftp-proxy/*"

pass quick on lo0 all

#   block drop in log quick on $ext_if from $priv_nets to any
#   block drop out log quick on $ext_if from any to $priv_nets

# pass in inet proto icmp all icmp-type $icmp_types

pass in on $int_if from $int_if:network to any
pass out on $int_if from any to $int_if:network

#send all traffic from the server out vpn_if
pass in log on $int_if route-to ($vpn_if $vpn_gw) proto tcp from $server to !$local_net flags S/SA modulate state
pass in log on $int_if route-to ($vpn_if $vpn_gw) proto { udp, icmp } from $server to !$local_net

pass out log on $ext_if proto tcp from !$vpn_if to any modulate state flags S/SA
pass out log on $ext_if proto { udp, icmp } from !$vpn_if to any

pass out log on $vpn_if proto tcp from !$ext_if to any modulate state flags S/SA
pass out log on $vpn_if proto { udp, icmp } from !$ext_if to any

#
# site specific
# here we allow for the services defined above
#
pass in log on $ext_if inet proto tcp from any to $wall port $wall_allowed_ports flags S/SA
pass in log on $vpn_if reply-to ($vpn_if $vpn_gw) inet proto tcp from any to $wall      port $wall_allowed_ports flags S/SA keep state

pass in log on $vpn_if reply-to ($vpn_if $vpn_gw) inet proto tcp from any to $postfix   port $postfix_allowed_ports flags S/SA keep state
pass in log on $int_if inet proto tcp from any to $postfix      port $postfix_allowed_ports flags S/SA keep state

#
# OPENVPN
#
pass in log on $vpn_if reply-to ($vpn_if $vpn_gw) proto { tcp, udp } from any to any port 1194
pass out log on $vpn_if route-to ($vpn_if $vpn_gw) proto { tcp, udp } from any port 1194 to any

#
# SSL Web Proxy
#
#pass out quick log on $ext_if route-to ($vpn_if $vpn_gw) inet proto tcp from $wall port 443 to any
#pass out quick log on $ext_if route-to ($vpn_if $vpn_gw) inet proto tcp from $wall port 1194 to any

#smtp rule
#pass out quick log on $ext_if route-to ($vpn_if $vpn_gw) proto tcp from $ext_if to any port 25 flags S/SA keep state

#
# handle both interfaces
#
pass out quick log on $ext_if route-to ($vpn_if $vpn_gw) from $vpn_if to any
pass out quick log on $vpn_if route-to ($ext_if $ext_gw) from $ext_if to any
pass out quick log on $vpn_if route-to ($vpn_if $vpn_gw) proto { tcp, udp } from any port 1194 to any