xref: /dflybsd-src/share/examples/pf/faq-example1 (revision 86d7f5d305c6adaa56ff4582ece9859d73106103) 
186d7f5d3SJohn Marino# $OpenBSD: faq-example1,v 1.3 2005/07/02 16:16:39 joel Exp $
286d7f5d3SJohn Marino# $DragonFly: src/share/examples/pf/faq-example1,v 1.1 2005/12/13 01:58:27 corecode Exp $
386d7f5d3SJohn Marino
486d7f5d3SJohn Marino#
586d7f5d3SJohn Marino# Firewall for Home or Small Office
686d7f5d3SJohn Marino# http://www.openbsd.org/faq/pf/example1.html
786d7f5d3SJohn Marino#
886d7f5d3SJohn Marino
986d7f5d3SJohn Marino
1086d7f5d3SJohn Marino# macros
1186d7f5d3SJohn Marinoint_if = "fxp0"
1286d7f5d3SJohn Marinoext_if = "ep0"
1386d7f5d3SJohn Marino
1486d7f5d3SJohn Marinotcp_services = "{ 22, 113 }"
1586d7f5d3SJohn Marinoicmp_types = "echoreq"
1686d7f5d3SJohn Marino
1786d7f5d3SJohn Marinopriv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
1886d7f5d3SJohn Marino
1986d7f5d3SJohn Marinocomp3 = "192.168.0.3"
2086d7f5d3SJohn Marino
2186d7f5d3SJohn Marino# options
2286d7f5d3SJohn Marinoset block-policy return
2386d7f5d3SJohn Marinoset loginterface $ext_if
2486d7f5d3SJohn Marino
2586d7f5d3SJohn Marino# scrub
2686d7f5d3SJohn Marinoscrub in all
2786d7f5d3SJohn Marino
2886d7f5d3SJohn Marino# nat/rdr
2986d7f5d3SJohn Marinonat on $ext_if from $int_if:network to any -> ($ext_if)
3086d7f5d3SJohn Marinordr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 \
3186d7f5d3SJohn Marino   port 8021
3286d7f5d3SJohn Marinordr on $ext_if proto tcp from any to any port 80 -> $comp3
3386d7f5d3SJohn Marino
3486d7f5d3SJohn Marino# filter rules
3586d7f5d3SJohn Marinoblock all
3686d7f5d3SJohn Marino
3786d7f5d3SJohn Marinopass quick on lo0 all
3886d7f5d3SJohn Marino
3986d7f5d3SJohn Marinoblock drop in  quick on $ext_if from $priv_nets to any
4086d7f5d3SJohn Marinoblock drop out quick on $ext_if from any to $priv_nets
4186d7f5d3SJohn Marino
4286d7f5d3SJohn Marinopass in on $ext_if inet proto tcp from any to ($ext_if) \
4386d7f5d3SJohn Marino   port $tcp_services flags S/SA keep state
4486d7f5d3SJohn Marino
4586d7f5d3SJohn Marinopass in on $ext_if proto tcp from any to $comp3 port 80 \
4686d7f5d3SJohn Marino   flags S/SA synproxy state
4786d7f5d3SJohn Marino
4886d7f5d3SJohn Marinopass in on $ext_if inet proto tcp from port 20 to ($ext_if) \
4986d7f5d3SJohn Marino   user proxy flags S/SA keep state
5086d7f5d3SJohn Marino
5186d7f5d3SJohn Marinopass in inet proto icmp all icmp-type $icmp_types keep state
5286d7f5d3SJohn Marino
5386d7f5d3SJohn Marinopass in  on $int_if from $int_if:network to any keep state
5486d7f5d3SJohn Marinopass out on $int_if from any to $int_if:network keep state
5586d7f5d3SJohn Marino
5686d7f5d3SJohn Marinopass out on $ext_if proto tcp all modulate state flags S/SA
5786d7f5d3SJohn Marinopass out on $ext_if proto { udp, icmp } all keep state
58