Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # http://draft.scyphus.co.jp/freebsd/nat.html
- ##### COMMANDS #####
- #
- # tcpdump -netttr /var/log/pflog View the logfile
- # tcpdump -nettti pflog0 Tail the logfile (realtime)
- #
- # pfctl -e Enable pf
- # pfctl -d Disable pf
- #
- # pfctl -f /etc/pf.conf Load the pf.conf file
- # pfctl -nf /etc/pf.conf Parse the file, but don't load it
- # pfctl -F all Flush all rules
- # pfctl -Nf /etc/pf.conf Load only the NAT rules from the file
- # pfctl -Rf /etc/pf.conf Reload only filter rules from the file
- # pfctl -Fa -f /etc/pf.conf Reload everything
- #
- # pfctl -sn Show current NAT rules
- # pfctl -sr Show current filter rules
- # pfctl -ss Show current state table
- # pfctl -si Show filter stats and counters
- # pfctl -sa Show everything
- #
- # Note: Pipe the Show filter rules command to less -N for line numbers.
- # This helps match up entries in the pflog to the actual rule.
- ## Options ###
- ### Macros ###
- ext_if = "re1" # External network interface for IPv4
- ext_if6 = "re1" # External network interface for IPv6
- ext_addr = "NN.NN.NN.NN" # External IPv4 address (i.e., global)
- int_if = "re0" # Internal network interface for IPv4
- int_if6 = "re0" # Internal network interface for IPv6
- int_addr = "192.168.2.254" # Internal IPv4 address (i.e., gateway for private network)
- int_network = "192.168.2.0/24" # Internal IPv4 network
- WinSvr2008 = "192.168.2.2"
- ### Tables ###
- # Host local address
- table <local> const { 127.0.0.1 }
- # IPv4 private address ranges
- table <private> const { 10/8, 172.16/12, 192.168/16 }
- # Special-use IPv4 addresses defined in RFC3330
- table <special> const { 0/8, 14/8, 24/8, 39/8, 127/8, 128.0/16, 169.254/16, 192.0.0/24, 192.0.2/24, 192.88.99/24, 198.18/15, 240/4 }
- # Block P2P
- # http://www.benhup.com/?mf=freebsd&sf=freebsd8.2-p9_04_peerblock
- table <block_p2p> persist file "/etc/pf/block-p2p.pf"
- # LIMITS
- set limit { frags 30000, states 100000, table-entries 300000 }
- ### Scrub: Packet normalization ###
- # Scrub for all incoming packets
- scrub in all
- # Randomize the ID field for all outgoing packets
- scrub out all random-id
- # If you have MTU problem or something like that
- #scrub out all random-id max-mss 1400
- ### NAT ###
- #RDP to WinSvr2008
- rdr on $ext_if proto tcp from any to any port 3389 -> $WinSvr2008
- # Redirect direct/local web traffic to local web server.
- rdr on $int_if proto tcp from 192.168.2.254/32 to 192.168.2.254/32 port 80 -> 192.168.2.254 port 80
- rdr on $int_if proto tcp from 192.168.2.254/32 to 192.168.2.254/32 port 443 -> 192.168.2.254 port 443
- # Squid Transparent Proxy
- # refer http://www.benzedrine.cx/tranint_addr.html
- rdr on $int_if proto tcp from $int_network to any port 80 -> $int_addr port 13128
- #rdr on $int_if proto tcp from $int_network to any port 443 -> $int_addr port 13129
- # SMTP redirection
- rdr on $int_if proto tcp from $int_network to any port 25 -> $int_addr port 587
- rdr on $int_if proto tcp from $int_network to any port 110 -> $int_addr port 110
- # Let all other stuff go out
- nat on $ext_if from $int_network to ! <private> -> $ext_addr
- ### Filters ###
- # P2P Blocking
- block log quick from any to <block_p2p> label "Attempted p2p-sniffer traffic"
- # Permit keep-state packets for UDP and TCP on external interfaces
- pass out quick on $ext_if proto udp all keep state
- pass out quick on $ext_if6 proto udp all keep state
- pass out quick on $ext_if proto tcp all modulate state flags S/SA
- pass out quick on $ext_if6 proto tcp all modulate state flags S/SA
- # Permit any packets from internal network to this host
- pass in quick on $int_if inet from $int_network to $int_addr
- # Permit established sessions from internal network to any (incl. the Internet)
- pass in quick on $int_if inet from $int_network to any keep state
- # If you want to limit the number of sessions per NAT, nodes per NAT (simultaneously), and sessions per source IP
- # Please refer to <http://www.openbsd.org/faq/pf/filter.html> for greater detailed information
- #pass in quick on $int_if inet from $int_network to any keep state (max 30000, source-track rule, max-src-nodes 100, max-src-states 500 )
- # Permit and log all packets from clients in private network through NAT
- pass in quick log on $int_if all
- # Pass any other packets
- pass in all
- pass out all
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement