30.3. PF Revised and updated by John Ferrell.

William Moreno wmoreno3 at hotmail.com
Fri Aug 24 22:24:55 UTC 2018 

https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-pf.html

30.3.3.1. A Simple Gateway with NAT

pass in on xl1 from xl1:network to xl0:network port $ports keep state

pass out on xl0 from xl1:network to xl0:network port $ports keep state

pass from $localnet to any port $ports keep state

Please explain me: How to implement “ xl1:network - xl0:network - $localnet “ ?

I tried different forms but negative, maybe yours commands are deprecated. Am I ready?

The following configuration is ready and test was OK in my FreeBSD 11.2 Server.


root at server:~ # cat /etc/pf.conf

#       $FreeBSD: releng/11.2/share/examples/pf/pf.conf 293862 2016-01-14 01:32:17Z kevlo $

#       $OpenBSD: pf.conf,v 1.34 2007/02/24 19:30:59 millert Exp $

#

# See pf.conf(5) and /usr/share/examples/pf for syntax and examples.

# Remember to set gateway_enable="YES" and/or ipv6_gateway_enable="YES"

# in /etc/rc.conf if packets are to be forwarded between interfaces.



ext_if="igb0"

int_if="igb1"



table <spamd-white> persist



set skip on lo



scrub in



#nat-anchor "ftp-proxy/*"

#rdr-anchor "ftp-proxy/*"

nat on $ext_if inet from !($ext_if) -> ($ext_if:0)

#rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021

no rdr on $ext_if proto tcp from <spamd-white> to any port smtp

#rdr pass on $ext_if proto tcp from any to any port smtp \

#       -> 127.0.0.1 port spamd



#anchor "ftp-proxy/*"

block in

pass out



pass quick on $int_if no state

antispoof quick for { lo $int_if }



#pass in on $ext_if proto tcp to ($ext_if) port ssh

pass in on $ext_if proto tcp to ($ext_if) port 38422

#pass in log on $ext_if proto tcp to ($ext_if) port smtp

#pass out log on $ext_if proto tcp from ($ext_if) to port smtp

pass in on $ext_if inet proto icmp from any to ($ext_if) icmp-type { unreach, redir, timex }

root at server:~ # pfctl -vnf /etc/pf.conf

ext_if = "igb0"

int_if = "igb1"

table <spamd-white> persist

set skip on { lo }

scrub in all fragment reassemble

nat on igb0 inet from ! (igb0) to any -> (igb0:0)

no rdr on igb0 proto tcp from <spamd-white> to any port = smtp

block drop in all

pass out all flags S/SA keep state

pass quick on igb1 all no state

block drop in quick on ! lo inet6 from ::1 to any

block drop in quick on ! lo inet from 127.0.0.0/8 to any

block drop in quick inet from 127.0.0.1 to any

block drop in quick on ! igb1 inet from 192.168.1.0/24 to any

block drop in quick inet from 192.168.1.1 to any

block drop in quick inet6 from ::1 to any

block drop in quick on lo0 inet6 from fe80::1 to any

pass in on igb0 inet proto icmp from any to (igb0) icmp-type unreach keep state

pass in on igb0 inet proto icmp from any to (igb0) icmp-type redir keep state

pass in on igb0 inet proto icmp from any to (igb0) icmp-type timex keep state

pass in on igb0 proto tcp from any to (igb0) port = 38422 flags S/SA keep state

root at server:~ #

Thanks,

William Moreno

Enviado desde Correo<https://go.microsoft.com/fwlink/?LinkId=550986> para Windows 10

More information about the freebsd-questions mailing list