src/share/pf/faq-example1 - diff

Return to faq-example1 CVS log

Up to [local] / src / share / pf

Diff for /src/share/pf/Attic/faq-example1 between version 1.3 and 1.4

version 1.3, 2005/07/02 16:16:39

version 1.4, 2006/06/16 17:26:59

Line 7

# macros

int_if = "fxp0"

ext_if="fxp0"

ext_if = "ep0"

int_if="xl0"

tcp_services = "{ 22, 113 }"

tcp_services="{ 22, 113 }"

icmp_types = "echoreq"

icmp_types="echoreq"

priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"

comp3="192.168.0.3"

comp3 = "192.168.0.3"

# options

set block-policy return

set loginterface $ext_if

set skip on lo

# scrub

scrub in all

scrub in

# nat/rdr

nat on $ext_if from $int_if:network to any -> ($ext_if)

nat on $ext_if from !($ext_if) -> ($ext_if:0)

rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 \

nat-anchor "ftp-proxy/*"

port 8021

rdr-anchor "ftp-proxy/*"

rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021

rdr on $ext_if proto tcp from any to any port 80 -> $comp3

# filter rules

block all

block in

pass quick on lo0 all

pass out keep state

block drop in quick on $ext_if from $priv_nets to any

anchor "ftp-proxy/*"

block drop out quick on $ext_if from any to $priv_nets

antispoof quick for { lo $int_if }

pass in on $ext_if inet proto tcp from any to ($ext_if) \

port $tcp_services flags S/SA keep state

pass in on $ext_if proto tcp from any to $comp3 port 80 \

pass in on $ext_if inet proto tcp from any to $comp3 port 80 \

flags S/SA synproxy state

pass in on $ext_if inet proto tcp from port 20 to ($ext_if) \

user proxy flags S/SA keep state

pass in inet proto icmp all icmp-type $icmp_types keep state

pass in on $int_if from $int_if:network to any keep state

pass quick on $int_if

pass out on $int_if from any to $int_if:network keep state

pass out on $ext_if proto tcp all modulate state flags S/SA

pass out on $ext_if proto { udp, icmp } all keep state