1135184Smlaier# $FreeBSD: releng/10.2/share/examples/pf/faq-example1 237681 2012-06-28 03:30:17Z rpaulo $ 2173536Smlaier# $OpenBSD: faq-example1,v 1.5 2006/10/07 04:48:01 mcbride Exp $ 3135184Smlaier 4135184Smlaier# 5135184Smlaier# Firewall for Home or Small Office 6135184Smlaier# http://www.openbsd.org/faq/pf/example1.html 7135184Smlaier# 8135184Smlaier 9135184Smlaier 10135184Smlaier# macros 11173536Smlaierext_if="fxp0" 12173536Smlaierint_if="xl0" 13135184Smlaier 14173536Smlaiertcp_services="{ 22, 113 }" 15173536Smlaiericmp_types="echoreq" 16135184Smlaier 17173536Smlaiercomp3="192.168.0.3" 18173536Smlaier 19135184Smlaier# options 20135184Smlaierset block-policy return 21135184Smlaierset loginterface $ext_if 22135184Smlaier 23173536Smlaierset skip on lo 24173536Smlaier 25135184Smlaier# scrub 26173536Smlaierscrub in 27135184Smlaier 28135184Smlaier# nat/rdr 29237681Srpaulonat on $ext_if inet from !($ext_if) -> ($ext_if:0) 30173536Smlaiernat-anchor "ftp-proxy/*" 31173536Smlaierrdr-anchor "ftp-proxy/*" 32135184Smlaier 33173536Smlaierrdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021 34173536Smlaierrdr on $ext_if proto tcp from any to any port 80 -> $comp3 35173536Smlaier 36135184Smlaier# filter rules 37173536Smlaierblock in 38135184Smlaier 39173536Smlaierpass out 40135184Smlaier 41173536Smlaieranchor "ftp-proxy/*" 42173536Smlaierantispoof quick for { lo $int_if } 43135184Smlaier 44173536Smlaierpass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services 45135184Smlaier 46173536Smlaierpass in on $ext_if inet proto tcp from any to $comp3 port 80 \ 47173536Smlaier synproxy state 48135184Smlaier 49173536Smlaierpass in inet proto icmp all icmp-type $icmp_types 50135184Smlaier 51173536Smlaierpass quick on $int_if no state 52