| version 1.9, 2002/12/13 10:20:25 |
version 1.10, 2002/12/19 00:06:29 |
|
|
| external_addr="192.168.1.1" |
external_addr="192.168.1.1" |
| |
|
| # Normalize: reassemble fragments and resolve or reduce traffic ambiguities |
# Normalize: reassemble fragments and resolve or reduce traffic ambiguities |
| # scrub in all |
#scrub in all |
| |
|
| # nat: packets going out through $ext_if with source address $internal_net will get |
# nat: packets going out through $ext_if with source address $internal_net will get |
| # translated as coming from $external_addr, a state is created for such packets, |
# translated as coming from $external_addr, a state is created for such packets, |
| # and incoming packets will be redirected to the internal address. |
# and incoming packets will be redirected to the internal address. |
| |
#nat on $ext_if from $internal_net to any -> $external_addr |
| |
|
| # nat on $ext_if from $internal_net to any -> $external_addr |
|
| |
|
| # rdr: packets coming in on $ext_if with destination $external_addr:1234 will |
# rdr: packets coming in on $ext_if with destination $external_addr:1234 will |
| # be redirected to 10.1.1.1:5678. A state is created for such packets, and |
# be redirected to 10.1.1.1:5678. A state is created for such packets, and |
| # outgoing packets will be translated as coming from the external address. |
# outgoing packets will be translated as coming from the external address. |
| |
#rdr on $ext_if proto tcp from any to $external_addr/32 port 1234 -> 10.1.1.1 port 5678 |
| |
|
| # rdr on $ext_if proto tcp from any to $external_addr/32 port 1234 -> 10.1.1.1 port 5678 |
|
| |
|
| # filter rules |
# filter rules |
| # the implicit first two rules are |
# the implicit first two rules are |
| # pass in all |
#pass in all |
| # pass out all |
#pass out all |
| |
|
| # block all incoming packets but allow ssh, pass all outgoing tcp and udp |
# block all incoming packets but allow ssh, pass all outgoing tcp and udp |
| # connections and keep state |
# connections and keep state, logging blocked packets |
| # log blocked packets |
#block in log all |
| |
#pass in on $ext_if proto tcp from any to $ext_if port 22 keep state |
| |
#pass out on $ext_if proto { tcp, udp } all keep state |
| |
|
| # block in log all |
# anchor to attach spews rules, which will redirect to spewsd(8) |
| # pass in on $ext_if proto tcp from any to $ext_if port 22 keep state |
#rdr-anchor spews inet proto tcp from any to any port = smtp |
| # pass out on $ext_if proto { tcp, udp } all keep state |
|
![[BACK]](/icons/back.gif){kind=icon}
Return to pf.conf CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / etc