example rulesets from the pf FAQ; provided by Joel Knight

1 files changed, 46 insertions, 0 deletions

diff --git a/share/pf/faq-example1 b/share/pf/faq-example1
new file mode 100644
index 00000000000..8e50f998278
--- /dev/null
+++ b/share/pf/faq-example1
@@ -0,0 +1,46 @@
+# $OpenBSD: faq-example1,v 1.1 2003/08/02 18:25:49 henning Exp $
+
+#
+# Firewall for Home or Small Office
+#
+
+
+# macros
+int_if = "fxp0"
+ext_if = "ep0"
+
+tcp_services = "{ 22, 113 }"
+icmp_types = "echoreq"
+
+priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
+        
+# options
+set block-policy return
+set loginterface $ext_if
+
+# scrub
+scrub in all
+
+# nat/rdr
+nat on $ext_if from $int_if:network to any -> ($ext_if)
+rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 \
+   port 8021
+
+# filter rules
+block all
+
+pass quick on lo0 all
+
+block drop in  quick on $ext_if from $priv_nets to any
+block drop out quick on $ext_if from any to $priv_nets
+
+pass in on $ext_if inet proto tcp from any to ($ext_if) \
+   port $tcp_services flags S/SA keep state
+
+pass in inet proto icmp all icmp-type $icmp_types keep state
+
+pass in  on $int_if from $int_if:network to any keep state
+pass out on $int_if from any to $int_if:network keep state
+
+pass out on $ext_if proto tcp all modulate state flags S/SA
+pass out on $ext_if proto { udp, icmp } all keep state