xref: /freebsd/share/examples/pf/faq-example1 (revision 8aac90f18aef7c9eea906c3ff9a001ca7b94f375)
1# $OpenBSD: faq-example1,v 1.5 2006/10/07 04:48:01 mcbride Exp $
2
3#
4# Firewall for Home or Small Office
5# http://www.openbsd.org/faq/pf/example1.html
6#
7
8
9# macros
10ext_if="fxp0"
11int_if="xl0"
12
13tcp_services="{ 22, 113 }"
14icmp_types="echoreq"
15
16comp3="192.168.0.3"
17
18# options
19set block-policy return
20set loginterface $ext_if
21
22set skip on lo
23
24# scrub
25scrub in
26
27# nat/rdr
28nat on $ext_if inet from !($ext_if) -> ($ext_if:0)
29nat-anchor "ftp-proxy/*"
30rdr-anchor "ftp-proxy/*"
31
32rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
33rdr on $ext_if proto tcp from any to any port 80 -> $comp3
34
35# filter rules
36block in
37
38pass out
39
40anchor "ftp-proxy/*"
41antispoof quick for { lo $int_if }
42
43pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services
44
45pass in on $ext_if inet proto tcp from any to $comp3 port 80 \
46    synproxy state
47
48pass in inet proto icmp all icmp-type $icmp_types
49
50pass quick on $int_if no state
51