faq-example1 revision 135184
1135184Smlaier# $FreeBSD: head/share/examples/pf/faq-example1 135184 2004-09-14 01:07:19Z mlaier $ 2135184Smlaier# $OpenBSD: faq-example1,v 1.2 2003/08/06 16:04:45 henning Exp $ 3135184Smlaier 4135184Smlaier# 5135184Smlaier# Firewall for Home or Small Office 6135184Smlaier# http://www.openbsd.org/faq/pf/example1.html 7135184Smlaier# 8135184Smlaier 9135184Smlaier 10135184Smlaier# macros 11135184Smlaierint_if = "fxp0" 12135184Smlaierext_if = "ep0" 13135184Smlaier 14135184Smlaiertcp_services = "{ 22, 113 }" 15135184Smlaiericmp_types = "echoreq" 16135184Smlaier 17135184Smlaierpriv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }" 18135184Smlaier 19135184Smlaier# options 20135184Smlaierset block-policy return 21135184Smlaierset loginterface $ext_if 22135184Smlaier 23135184Smlaier# scrub 24135184Smlaierscrub in all 25135184Smlaier 26135184Smlaier# nat/rdr 27135184Smlaiernat on $ext_if from $int_if:network to any -> ($ext_if) 28135184Smlaierrdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 \ 29135184Smlaier port 8021 30135184Smlaier 31135184Smlaier# filter rules 32135184Smlaierblock all 33135184Smlaier 34135184Smlaierpass quick on lo0 all 35135184Smlaier 36135184Smlaierblock drop in quick on $ext_if from $priv_nets to any 37135184Smlaierblock drop out quick on $ext_if from any to $priv_nets 38135184Smlaier 39135184Smlaierpass in on $ext_if inet proto tcp from any to ($ext_if) \ 40135184Smlaier port $tcp_services flags S/SA keep state 41135184Smlaier 42135184Smlaierpass in inet proto icmp all icmp-type $icmp_types keep state 43135184Smlaier 44135184Smlaierpass in on $int_if from $int_if:network to any keep state 45135184Smlaierpass out on $int_if from any to $int_if:network keep state 46135184Smlaier 47135184Smlaierpass out on $ext_if proto tcp all modulate state flags S/SA 48135184Smlaierpass out on $ext_if proto { udp, icmp } all keep state 49