# # Interface: # ep0 - internal to private network # ep1 - external to cable modem # # Last modified: # Nov 9, 2002 # --hoang # # ------------------------------------------------------------------------- # Section: OPTIONS # Interface: ep1 # # Collect packet and byte count statistics on external interface. To view # These statistics can be viewed using: pfctl -s info # set loginterface ep1 # # Set maximum of 10k keep states and 10k of scrub entries in the memory # pool. Default is: # # states unlimited # frags hard limit 5000 # set limit { states 10000, frags 10000 } # # Optimize the engine for normal network environment. # set optimization default # ------------------------------------------------------------------------- # ------------------------------------------------------------------------- # Section: SCRUB # Interface: all # Resolve overlapping IP fragments. Fragments are cached and reassembled by # pf before a packet is received by its destinations. This will protect # machines with less secure stacks behind it from fragmentation attacks. # ------------------------------------------------------------------------- scrub in all # ----------------------------------------------------------------------- # Declare interfaces # ----------------------------------------------------------------------- LoIf="lo0" IntIf="ep0" ExtIf="ep1" # ------------------------------------------------------------------------- # Declare ports # ------------------------------------------------------------------------- OutTCP="{ 21,22,23,25,43,53,80,110,443,554,871,1214,1863,2401,5050,5999,6667 }" OutUDP="{ 53,123 }" InUDP="{ 68 }" InICMP="{ 3,11 }" OutTracerouteUDP="{ 33434 >< 33525 }" # ----------------------------------------------------------------------- # Section: NAT & RDR # NAT internal IP addresses of range 192.168.1.0/24 to external # routable IP on external interface # ----------------------------------------------------------------------- nat on $ExtIf from 192.168.1.0/24 to any -> $ExtIf # ----------------------------------------------------------------------- # Redirect ftp clients behind NAT on internal interface to ftp-proxy(8) # daemon # ----------------------------------------------------------------------- rdr on $IntIf proto tcp from any to any port 21 -> 127.0.0.1 port 8081 # +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ # Section: FILTER # Interface: all # Block all incoming and outgoing packets unless they're allowed later. # +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ block in log all block out log all # ----------------------------------------------------------------------- # Interface: $LoIf # Allow loopback to flow freely. # ----------------------------------------------------------------------- pass in quick on $LoIf all pass out quick on $LoIf all # ----------------------------------------------------------------------- # ----------------------------------------------------------------------- # Interface: $IntIf # Allow internal traffic to flow freely. # ----------------------------------------------------------------------- pass in quick on $IntIf all pass out quick on $IntIf all # ----------------------------------------------------------------------- # ----------------------------------------------------------------------- # Interface: $ExtIf # Allow _internal_ and fw initiated connections from hosts behind NAT to outside # world. # ----------------------------------------------------------------------- # [permit only certain services to outside world] pass out quick on $ExtIf inet proto tcp from any to any port $OutTCP flags S/SA modulate state pass out quick on $ExtIf inet proto udp from any to any port $OutUDP keep state # [passive ftp to outside world step 2 where the FTP server decides which port # for ftp data back] pass out quick on $ExtIf inet proto tcp from any to any port > 1023 flags S/SA modulate state # [traceroute to outside world 1st stage: probing...man traceroute(8)] pass out quick on $ExtIf inet proto udp from any to any port $OutTracerouteUDP keep state # [ping to outside world] pass out quick on $ExtIf inet proto icmp all icmp-type 8 code 0 keep state # [others require opening high udp ports] pass out quick on $ExtIf inet proto udp from any to any keep state # ----------------------------------------------------------------------- # Allow _external_ initiated connections from outside world to hosts behind # NAT and fw. # ----------------------------------------------------------------------- # [bootpc to fw] pass in quick on $ExtIf inet proto udp from any to any port $InUDP keep state # [traceroute to internal host 2nd stage: receiving error code of icmp-type 3 # (destination unreachable) and icmp-type 11 (time exceeded)] pass in quick on $ExtIf inet proto icmp from any to any icmp-type $InICMP keep state # [active ftp] pass in quick on $ExtIf inet proto tcp from any to $ExtIf port > 49151 flags S/SA modulate state