PF, The OpenBSD Packet Filter: Building The Network You Need: BSDCan, Ottawa, June 10th 2015 | ||
---|---|---|
Prev | Next |
webserver = "192.168.2.7" webports = "{ http, https }" emailserver = "192.168.2.5" email = "{ smtp, pop3, imap, imap3, imaps, pop3s }" pass inet proto icmp icmp-type $icmp_types from $localnet pass inet proto icmp icmp-type $icmp_types to $ext_if pass in on $ext_if inet proto tcp to $ext_if port $webports rdr-to $webserver pass in on $ext_if inet proto tcp to $ext_if port $email rdr-to $mailserver pass on $int_if inet proto tcp to $webserver port $webports pass on $int_if inet proto tcp to $mailserver port $email
Pre-4.7:
webserver = "192.168.2.7" webports = "{ http, https }" emailserver = "192.168.2.5" email = "{ smtp, pop3, imap, imap3, imaps, pop3s }" rdr on $ext_if proto tcp from any to $ext_if port \ $webports -> $webserver rdr on $ext_if proto tcp from any to $ext_if port \ $email -> $emailserver pass in on $ext_if proto tcp from any to $webserver port $webports pass in on $ext_if proto tcp from any to $emailserver port $email pass out on $ext_if proto tcp from $emailserver to any port smtp
Works with or without a separate dmz, but -