1# $OpenBSD: faq-example1,v 1.3 2005/07/02 16:16:39 joel Exp $ 2# $DragonFly: src/share/examples/pf/faq-example1,v 1.1 2005/12/13 01:58:27 corecode Exp $ 3 4# 5# Firewall for Home or Small Office 6# http://www.openbsd.org/faq/pf/example1.html 7# 8 9 10# macros 11int_if = "fxp0" 12ext_if = "ep0" 13 14tcp_services = "{ 22, 113 }" 15icmp_types = "echoreq" 16 17priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }" 18 19comp3 = "192.168.0.3" 20 21# options 22set block-policy return 23set loginterface $ext_if 24 25# scrub 26scrub in all 27 28# nat/rdr 29nat on $ext_if from $int_if:network to any -> ($ext_if) 30rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 \ 31 port 8021 32rdr on $ext_if proto tcp from any to any port 80 -> $comp3 33 34# filter rules 35block all 36 37pass quick on lo0 all 38 39block drop in quick on $ext_if from $priv_nets to any 40block drop out quick on $ext_if from any to $priv_nets 41 42pass in on $ext_if inet proto tcp from any to ($ext_if) \ 43 port $tcp_services flags S/SA keep state 44 45pass in on $ext_if proto tcp from any to $comp3 port 80 \ 46 flags S/SA synproxy state 47 48pass in on $ext_if inet proto tcp from port 20 to ($ext_if) \ 49 user proxy flags S/SA keep state 50 51pass in inet proto icmp all icmp-type $icmp_types keep state 52 53pass in on $int_if from $int_if:network to any keep state 54pass out on $int_if from any to $int_if:network keep state 55 56pass out on $ext_if proto tcp all modulate state flags S/SA 57pass out on $ext_if proto { udp, icmp } all keep state 58