2008/7/15 Henning Brauer :
> * Xavier Millihs-Lacroix [2008-07-15 14:15]:
Do you think my pf.conf is correct ?
Xavier.
# macros
ext_if="pppoe0"
int_if="vr1"
tcp_services="{ 22, 113 }"
icmp_types="echoreq"
comp3="192.168.1.2"
# options
set block-policy return
set loginterface $ext_if
set skip on lo
# scrub
scrub in
# nat/rdr
nat on $ext_if from !($ext_if) -> ($ext_if:0)
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
rdr on $ext_if proto tcp from any to any port 80 -> $comp3
# filter rules
block in
pass out keep state
anchor "ftp-proxy/*"
antispoof quick for { lo $int_if }
pass in on $ext_if inet proto tcp from any to ($ext_if) \
port $tcp_services flags S/SA keep state
pass in on $ext_if inet proto tcp from any to $comp3 port 80 \
flags S/SA synproxy state
pass in inet proto icmp all icmp-type $icmp_types keep state
pass in quick on $int_if
/etc/pf.conf
# macros
ext_if="pppoe0"
int_if="vr1"
tcp_services="{ 22, 113, 443 }"
icmp_types="echoreq"
srvexchange="192.168.1.2"
tcp_srvexchange="{ 25, 110, 1024 }"
srvfiles="192.168.1.10"
tcp_srvfiles="{ 873, 3389 }"
# options
set block-policy return
set loginterface $ext_if
set skip on lo
# scrub
scrub in
# nat/rdr
nat on $ext_if from !($ext_if) -> ($ext_if:0)
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
rdr on $ext_if proto tcp from any to any port $tcp_srvfiles -> $srvfiles
rdr on $ext_if proto tcp from any to any port $tcp_srvexchange ->
$srvexchange
# filter rules
block in
pass out keep state
anchor "ftp-proxy/*"
antispoof quick for { lo $int_if }
pass in on $ext_if inet proto tcp from any to ($ext_if) \
port $tcp_services flags S/SA keep state
pass in on $ext_if inet proto tcp from any to $srvfiles port $tcp_srvfiles \
flags S/SA synproxy state
pass in on $ext_if inet proto tcp from any to $srvexchange port
$tcp_srvexchange \
flags S/SA synproxy state
pass in inet proto icmp all icmp-type $icmp_types keep state
pass in quick on $int_if
