View Single Post
Old 6th February 2010
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default

You can use this as a skeleton
Code:
EXT=re0
INT=bge0

TCPservices = "{ www https ssh }"
UDPservices = "{ domain ntp }"

set skip on lo0

# --- NAT/RDR section
nat on $EXT from ! $EXT to any -> ($EXT)

# --- Default policy
block log all

# -- EXTERNAL interface out

pass out quick on $EXT inet proto tcp tagged OUT_ok

# -- INTERNAL interface in

pass in quick on $INT inet proto tcp from $INT:network to any port $TCPservices tag OUT_ok
pass in quick on $INT inet proto tcp from $INT:network to any port $UDPservices tag OUT_ok
A test load
Code:
EXT = "re0"
INT = "bge0"
TCPservices = "{ www https ssh }"
UDPservices = "{ domain ntp }"
set skip on { lo0 }
@0 nat on re0 inet from ! 192.168.222.20 to any -> (re0) round-robin
@0 block drop log all
@1 pass out quick on re0 inet proto tcp all flags S/SA keep state tagged OUT_ok
@2 pass in quick on bge0 inet proto tcp from 10.0.0.0/8 to any port = www flags S/SA keep state tag OUT_ok
@3 pass in quick on bge0 inet proto tcp from 10.0.0.0/8 to any port = https flags S/SA keep state tag OUT_ok
@4 pass in quick on bge0 inet proto tcp from 10.0.0.0/8 to any port = ssh flags S/SA keep state tag OUT_ok
@5 pass in quick on bge0 inet proto tcp from 10.0.0.0/8 to any port = domain flags S/SA keep state tag OUT_ok
@6 pass in quick on bge0 inet proto tcp from 10.0.0.0/8 to any port = ntp flags S/SA keep state tag OUT_ok
Are you using PPPoE ?
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote