summaryrefslogtreecommitdiff
path: root/share/pf/faq-example1
diff options
context:
space:
mode:
authorJasper Lievisse Adriaanse <jasper@cvs.openbsd.org>2006-06-16 17:27:00 +0000
committerJasper Lievisse Adriaanse <jasper@cvs.openbsd.org>2006-06-16 17:27:00 +0000
commitd0bfa2732d8b7c0f06780686332868dddb40a596 (patch)
tree0f6d613ea8da633e267dcd15a7b4698e46ca610a /share/pf/faq-example1
parent47b0dde92e88bee8d90987960739c6aac57f4fef (diff)
sync with faq;
yayayaya henning@
Diffstat (limited to 'share/pf/faq-example1')
-rw-r--r--share/pf/faq-example147
1 files changed, 21 insertions, 26 deletions
diff --git a/share/pf/faq-example1 b/share/pf/faq-example1
index 25e80a65fa8..a105fdb9623 100644
--- a/share/pf/faq-example1
+++ b/share/pf/faq-example1
@@ -1,4 +1,4 @@
-# $OpenBSD: faq-example1,v 1.3 2005/07/02 16:16:39 joel Exp $
+# $OpenBSD: faq-example1,v 1.4 2006/06/16 17:26:59 jasper Exp $
#
# Firewall for Home or Small Office
@@ -7,50 +7,45 @@
# macros
-int_if = "fxp0"
-ext_if = "ep0"
+ext_if="fxp0"
+int_if="xl0"
-tcp_services = "{ 22, 113 }"
-icmp_types = "echoreq"
+tcp_services="{ 22, 113 }"
+icmp_types="echoreq"
-priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
-
-comp3 = "192.168.0.3"
+comp3="192.168.0.3"
# options
set block-policy return
set loginterface $ext_if
+set skip on lo
+
# scrub
-scrub in all
+scrub in
# nat/rdr
-nat on $ext_if from $int_if:network to any -> ($ext_if)
-rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 \
- port 8021
+nat on $ext_if from !($ext_if) -> ($ext_if:0)
+nat-anchor "ftp-proxy/*"
+rdr-anchor "ftp-proxy/*"
+
+rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
rdr on $ext_if proto tcp from any to any port 80 -> $comp3
# filter rules
-block all
+block in
-pass quick on lo0 all
+pass out keep state
-block drop in quick on $ext_if from $priv_nets to any
-block drop out quick on $ext_if from any to $priv_nets
+anchor "ftp-proxy/*"
+antispoof quick for { lo $int_if }
pass in on $ext_if inet proto tcp from any to ($ext_if) \
port $tcp_services flags S/SA keep state
-pass in on $ext_if proto tcp from any to $comp3 port 80 \
- flags S/SA synproxy state
-
-pass in on $ext_if inet proto tcp from port 20 to ($ext_if) \
- user proxy flags S/SA keep state
+pass in on $ext_if inet proto tcp from any to $comp3 port 80 \
+ flags S/SA synproxy state
pass in inet proto icmp all icmp-type $icmp_types keep state
-pass in on $int_if from $int_if:network to any keep state
-pass out on $int_if from any to $int_if:network keep state
-
-pass out on $ext_if proto tcp all modulate state flags S/SA
-pass out on $ext_if proto { udp, icmp } all keep state
+pass quick on $int_if