xref: /freebsd/share/examples/pf/faq-example1 (revision 9d7ccc0ffa59fce38a85599754ceeba6cf748d04) 
19d7ccc0fSMax Laier# $FreeBSD$
29d7ccc0fSMax Laier# $OpenBSD: faq-example1,v 1.2 2003/08/06 16:04:45 henning Exp $
39d7ccc0fSMax Laier
49d7ccc0fSMax Laier#
59d7ccc0fSMax Laier# Firewall for Home or Small Office
69d7ccc0fSMax Laier# http://www.openbsd.org/faq/pf/example1.html
79d7ccc0fSMax Laier#
89d7ccc0fSMax Laier
99d7ccc0fSMax Laier
109d7ccc0fSMax Laier# macros
119d7ccc0fSMax Laierint_if = "fxp0"
129d7ccc0fSMax Laierext_if = "ep0"
139d7ccc0fSMax Laier
149d7ccc0fSMax Laiertcp_services = "{ 22, 113 }"
159d7ccc0fSMax Laiericmp_types = "echoreq"
169d7ccc0fSMax Laier
179d7ccc0fSMax Laierpriv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
189d7ccc0fSMax Laier
199d7ccc0fSMax Laier# options
209d7ccc0fSMax Laierset block-policy return
219d7ccc0fSMax Laierset loginterface $ext_if
229d7ccc0fSMax Laier
239d7ccc0fSMax Laier# scrub
249d7ccc0fSMax Laierscrub in all
259d7ccc0fSMax Laier
269d7ccc0fSMax Laier# nat/rdr
279d7ccc0fSMax Laiernat on $ext_if from $int_if:network to any -> ($ext_if)
289d7ccc0fSMax Laierrdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 \
299d7ccc0fSMax Laier   port 8021
309d7ccc0fSMax Laier
319d7ccc0fSMax Laier# filter rules
329d7ccc0fSMax Laierblock all
339d7ccc0fSMax Laier
349d7ccc0fSMax Laierpass quick on lo0 all
359d7ccc0fSMax Laier
369d7ccc0fSMax Laierblock drop in  quick on $ext_if from $priv_nets to any
379d7ccc0fSMax Laierblock drop out quick on $ext_if from any to $priv_nets
389d7ccc0fSMax Laier
399d7ccc0fSMax Laierpass in on $ext_if inet proto tcp from any to ($ext_if) \
409d7ccc0fSMax Laier   port $tcp_services flags S/SA keep state
419d7ccc0fSMax Laier
429d7ccc0fSMax Laierpass in inet proto icmp all icmp-type $icmp_types keep state
439d7ccc0fSMax Laier
449d7ccc0fSMax Laierpass in  on $int_if from $int_if:network to any keep state
459d7ccc0fSMax Laierpass out on $int_if from any to $int_if:network keep state
469d7ccc0fSMax Laier
479d7ccc0fSMax Laierpass out on $ext_if proto tcp all modulate state flags S/SA
489d7ccc0fSMax Laierpass out on $ext_if proto { udp, icmp } all keep state
49