blob: 87902846fcddf825ac210f921fc9f302f4e41a92 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
|
# in VirtualBox
ext_if = em0
# real machine
#ext_if = re0
smtp_srv = 192.168.0.33
# martians
table <intNetworks> const { 192.168.0.0/24, 192.168.10.0/24, \
192.168.100.0/24 }
# default rule, block all
block all
# no IPv6
block quick inet6
set loginterface $ext_if
match in all scrub (no-df)
antispoof quick for $ext_if
out_tcp_services = "{ssh, domain}"
out_udp_services = "{domain, ntp, bootps}"
out_icmp_types = "{echoreq,unreach}"
in_tcp_services = "{ssh}"
in_udp_services = "{bootpc}"
in_icmp_types = "{echoreq,unreach}"
pass out on $ext_if inet proto udp to port 33433 >< 33626
pass out inet proto tcp to port $out_tcp_services
pass out inet proto udp to port $out_udp_services
pass out inet proto icmp all icmp-type $out_icmp_types
pass in inet proto tcp to port $in_tcp_services
pass in inet proto icmp all icmp-type $in_icmp_types
match out on $ext_if from <intNetworks> nat-to ($ext_if)
match in on $ext_if proto tcp from any to $ext_if port smtp rdr-to $smtp_srv port 9999
pass in quick on $ext_if inet proto tcp from 192.168.0.1 to 192.168.0.252 port http flags S/SA synproxy state
|
