PF, The OpenBSD Packet Filter: Building The Network You Need: BSDCan, Ottawa, June 10th 2015 | ||
---|---|---|
Prev | Next |
/etc/pf.conf
ext_if = ep0 int_if = ep1 localnet= "192.0.2.0/24" webserver = "192.0.2.227" webports = "{ http, https }" emailserver = "192.0.2.225" email = "{ smtp, pop3, imap, imap3, imaps, pop3s }" nameservers = "{ 192.0.2.221, 192.0.2.223 }" client_out = "{ ssh, domain, pop3, auth, nntp, http, https, \ cvspserver, 2628, 5999, 8000, 8080 }" udp_services = "{ domain, ntp }" icmp_types = "{ echoreq, unreach }" set skip on $int_if block all pass quick on $ext_if inet proto { tcp, udp } from $localnet to \ any port $udp_services pass log on $ext_if inet proto icmp all icmp-type $icmp_types pass on $ext_if inet proto tcp from $localnet to any port $client_out pass on $ext_if inet proto { tcp, udp } from any to $nameservers \ port domain pass on $ext_if proto tcp from any to $webserver port $webports pass log on $ext_if proto tcp from any to $emailserver port $email pass log on $ext_if proto tcp from $emailserver to port smtp
(knock yourself out)