Here is an excerpt from a pf.conf I have doing exactly what you're asking. Use
this as a base. You will need to add more and adjust some to your setup,
bittorrent_tcp_ports is obviously not defined here. And some of the options
for the rules may not really be needed, but they remained after I set it up
and have not tried to remove them yet. Just remember that for incoming
traffic you do allow on a given interface, you need a "
reply-to ($dsl_X_if $dsl_X_gw) " after the interface name to let the traffic
go back out the way it came and not the boxes default gateway.
scrub in on {$dsl_1_if, $dsl_2_if} all fragment reassemble
scrub out on {$dsl_1_if, $dsl_2_if} all random-id fragment reassemble
block in on $int_if from any to any
block out on $int_if from any to any
block in on $dsl_1_if from any to any
block out on $dsl_1_if from any to any
block in on $dsl_2_if from any to any
block out on $dsl_2_if from any to any
pass in quick on $int_if from $lan_net to $int_if
pass in quick on $int_if from $lan_net to lo0
pass in on $int_if route-to { ($dsl_1_if $dsl_1_gw) } proto tcp from {
$users } to any port $bittorrent_tcp_ports flags S/SA modulate state
pass in on $int_if route-to { ($dsl_2_if $dsl_2_gw) } proto tcp from {
$users } to any flags S/SA modulate state
pass out on $dsl_1_if proto tcp from any to any flags S/SA modulate state
pass out on $dsl_1_if proto { udp, icmp } from any to any keep state
pass out on $dsl_2_if proto tcp from any to any flags S/SA modulate state
pass out on $dsl_2_if proto { udp, icmp } from any to any keep state
-----------
On Thursday 27 March 2008 09:30:31 am Jon wrote:
