src/etc/pf.conf - diff

Return to pf.conf CVS log

Up to [local] / src / etc

Diff for /src/etc/pf.conf between version 1.16 and 1.17

version 1.16, 2003/02/14 00:34:14

version 1.17, 2003/02/28 00:34:13

Line 1

# $OpenBSD$

# See pf.conf(5) and /usr/share/pf for syntax and examples.

# General order: options, scrub rules, translation rules, and filter rules.

# Required order: options, normalization, queueing, translation, filtering.

# Macros and tables may be defined and used anywhere.

# Note that translation rules are first match while filter rules are last match.

# Macros: define common values, so they can be referenced and changed easily.

ext_if="ext0" # replace with actual external interface name i.e., dc0

#ext_if="ext0" # replace with actual external interface name i.e., dc0

internal_net="10.1.1.1/8"

#internal_net="10.1.1.1/8"

external_addr="192.168.1.1"

#external_addr="192.168.1.1"

# Tables: similar to macros, but more flexible for many addresses.

#table <foo> { 10.0.0.0/8, !10.1.0.0/16, 192.168.0.0/24, 192.168.1.18 }

# Options: tune the behavior of pf, default values are given.

#set timeout { interval 30, frag 10 }

#set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }

Line 22

Line 26

#set block-policy drop

#set require-order yes

# Normalize: reassemble fragments and resolve or reduce traffic ambiguities.

# Normalization: reassemble fragments and resolve or reduce traffic ambiguities.

#scrub in all

# Queueing: rule-based bandwidth control.

#altq on $ext_if bandwidth 2Mb cbq queue { dflt, developers, marketing }

#queue dflt bandwidth 5% cbq(default)

#queue developers bandwidth 80%

#queue marketing bandwidth 15%

# Translation: specify how addresses are to be mapped or redirected.

# nat: packets going out through $ext_if with source address $internal_net will

# get translated as coming from the address of $ext_if, a state is created for

# such packets, and incoming packets will be redirected to the internal address.

Line 35

Line 46

# outgoing packets will be translated as coming from the external address.

#rdr on $ext_if proto tcp from any to $external_addr/32 port 1234 -> 10.1.1.1 port 5678

# spamd-setup puts addresses to be redirected into table <spamd>

# spamd-setup puts addresses to be redirected into table <spamd>.

#table <spamd> persist

#no rdr on { lo0, lo1 } from any to any

#rdr inet proto tcp from { <spamd> } to any port smtp -> 127.0.0.1 port 8025

#rdr inet proto tcp from <spamd> to any port smtp -> 127.0.0.1 port 8025

# filter rules: the implicit first two rules are

# Filtering: the implicit first two rules are

#pass in all

#pass out all

Line 49

Line 60

#block in log all

#pass in on $ext_if proto tcp from any to $ext_if port 22 keep state

#pass out on $ext_if proto { tcp, udp } all keep state

# pass incoming packets destined to the addresses given in table <foo>.

#pass in on $ext_if proto { tcp, udp } from any to <foo> port 80 keep state

# assign packets to a queue.

#pass out on $ext_if from 192.168.0.0/24 to any keep state queue developers

#pass out on $ext_if from 192.168.1.0/24 to any keep state queue marketing