source: hybrid/branches/releng-9.0/nanobsd/files/etc/pf.proxy.conf@ 10523

Last change on this file since 10523 was 10418, checked in by rick, 13 years ago

Some sample firewall configurations.

File size: 1.6 KB
Line 
1all_node="172.31.255.1/32"
2wl_net="172.16.0.0/12"
3allow_ext_tcp="{22}"
4allow_ext_udp="{161}"
5allow_int_tcp="{22,3128}"
6allow_int_udp="{53,161,12345}"
7allow_int_udp_any="{67}"
8
9private="{ 10.0.0.0/8 , 192.168.0.0/16 }"
10
11# Nat the internet
12nat on $ext_if from $wl_net to any port $publicnat -> ($ext_if)
13
14# Nat local wl access
15nat on $int_if from $private to $wl_net -> ($int_if)
16
17# Redirection, needs source natting and allow rules
18#rdr on $ext_if inet proto tcp from any to $ext_if port 1022 -> 192.168.84.1 port 22
19
20# Localhost is considered safe
21pass quick on lo0 all
22
23# Block all
24block in on $ext_if from any to $ext_if
25block in on $int_if from any to $int_if
26
27# Allow private to private
28# Enable me to access anything
29pass out on {$ext_if, $int_if} keep state
30
31# Allow internet access from the network
32pass in on $int_if inet proto tcp from $wl_net to any port $publicnat keep state
33block in on $int_if inet proto tcp from $wl_net to $int_if port $publicnat
34
35# Allow directives
36pass in on $ext_if inet proto tcp from any to $ext_if port $allow_ext_tcp keep state
37pass in on $ext_if inet proto udp from any to $ext_if port $allow_ext_udp keep state
38
39pass in on $int_if inet proto tcp from $wl_net to $int_if port $allow_int_tcp keep state
40pass in on $int_if inet proto udp from $wl_net to $int_if port $allow_int_udp keep state
41pass in on $int_if inet proto icmp from $wl_net to $int_if keep state
42
43# Allow wl access from local network
44pass on $ext_if from $private to $wl_net keep state
45
46# Make sure to block local network access from wl
47block on $int_if from $wl_net to $private
48
49# Otherwise lvrouted breaks:
50pass in on $int_if
Note: See TracBrowser for help on using the repository browser.