#vi pf.conf
#Interfata Wan 8x.xx.xx.130/32
ext_if="rl0"
#set loginterface $ext_if
#Interfata Privata 10.124.175.26
int_if="fxp0"
#Interfata Publica 8x.x.x.121/29
pb_if="rl1"
#Reteaua locala (subnet) 10.124.175.0/24
lcnet= $int_if:network
#Reteaua publica (subnet) 8x.x.x.120/29
pbnet=$pb_if:network
#lo0 are voie oriunde
set skip on lo0
#IP POP
rnet="10.124.175.20"
#IP Vincze
vnet="10.124.175.45"
#Ftp-proxy
proxy="127.0.0.1"
#OpenVPN
vpn="tun0"
vpn_net=$vpn:network
#normalizare pachetelor
scrub in all
#ICMP
icmp_types="{echoreq, unreach}"
##############################
#Testare tables
table persist file "/etc/autotop"
###############################
#Regula de NAT (pt ip dinamic se pune ($ext_if))
nat on $ext_if from $lcnet to any -> $ext_if
#Remote fara vpn - just in case
#rdr on $ext_if proto tcp from any to port 3389 -> 10.124.175.20
#Regula FTP - bata-l pula de ftp protocol de cacat
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021
#rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
#nu lasa nimic sa treaca
block all
#Porturi Acceptate
tcp_wan = "{smtp, www, domain, pop3, https, pop3s, 10000, 5000 }"
tcp_services = "{ssh, www, smtp, domain, pop3, auth, https, pop3s, ftp, ftp-data }"
udp_services = "{ domain }"
#tcp_lan = "{ssh, domain, 3128}"
###############################################################################
###############################################################################
#Deocamdata pt ip public!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
#pass in on $pb_if proto tcp from $pbnet to any port $tcp_wan keep state
pass proto udp from any to any port $udp_services keep state
pass inet proto tcp from $pbnet to any port $tcp_services keep state
pass proto tcp from any to 8x.x.x.123 port $tcp_wan keep state
pass proto tcp from any to 8x.x.x.123 port 21 keep state
pass proto tcp from any to 8x.x.x.123 port > 32768 keep state #FTP
###############################################################################
###############################################################################
anchor "ftp-proxy/*"
#pass inet proto tcp from { lo0, $lcnet, $ext_if } to any port $tcp_services keep state
#pass inet proto icmp from { lo0, $lcnet, $ext_if, $pbnet } to any
pass quick proto tcp from { $vnet, $ext_if } to any keep state
pass quick proto udp from { $rnet, $ext_if } to any keep state
#########################################
#Test tables
pass log inet proto tcp from to any port $tcp_services keep state
#pass log inet from to any keep state
#Spre 2 vpn-uri
pass inet from $lcnet to 10.40.0.0/16 keep state
pass inet from $lcnet to 10.112.0.0/16 keep state
#########################################
#Regula pentru Traceroute
pass out on $ext_if inet proto udp from any to any port 33433 >< 33626 keep state
#regula FTP
pass out proto tcp from $proxy to any port 21 keep state
#Regula ICMP
pass in on $ext_if proto udp from any to port 1194 keep state
#pass in on $ext_if proto tcp from any to port 3389 keep state
pass inet proto icmp from any to any icmp-type $icmp_types keep state
#Openvpn - la liber
pass quick on tun0
#Remote dektop
pass on $int_if from any to $lcnet keep state
Statia este un FreeBSD7 pe care rulez pf + openvpn si niste rute spre un alt vpn.
No comments:
Post a Comment