Thread: Help me setup my new router
View Single Post
  #3   (View Single Post)  
Old 14th July 2013
Sonya's Avatar
Sonya Sonya is offline
Real Name: Sonya Fox
New User
  
Join Date: Jan 2009
Posts: 8
Default
I used the pf.conf from the article (it wouldn't let me link to that before for some reason); here it is with my modifications.
Code:
### macros
# internal and external interfaces (run 'ifconfig' to find interfaces)
int_if = "re1"
ext_if = "re0"

# Allow Telnet, web, etc...
tcp_services = "{ 22, 23, 25, 80 }"

# ping requests
icmp_types = "echoreq"

# Private networks, we are going to block incoming traffic from them
priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"

### options
set block-policy return
set loginterface $ext_if
set skip on lo0

### Scrub
# From the PF user's guide (http://www.openbsd.org/faq/pf/index.html):
# "Scrubbing" is the normalization of packets so there are no ambiguities in
# interpretation by the ultimate destination of the packet. The scrub directive
# also reassembles fragmented packets, protecting some operating systems from
# some forms of attack, and # drops TCP packets that have invalid flag
# combinations.
scrub in all

### nat/rdr
# NAT traffic from internal network to external network through external
# interface
nat on $ext_if from $int_if:network to any -> ($ext_if)

### filter rules
block all

# block incoming traffic from private networks on external interface
block drop in quick on $ext_if from $priv_nets to any

# block outgoing traffic to private networks on external interface
block drop out quick on $ext_if from any to $priv_nets

# allow access to tcp_services on external interface
pass in on $ext_if inet proto tcp from any to ($ext_if) port
$tcp_services flags S/SA keep state

# allow in FTP control port
pass in on $ext_if inet proto tcp from port 20 to ($ext_if) user proxy
flags S/SA keep state

# allow in ping replies
pass in inet proto icmp all icmp-type $icmp_types keep state

# allow all traffic from internal network to internal interface
pass in  on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state

# allow all traffic out via external interface
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
Side note, that's not my real IP address - I just made one up off the top of my head. re0 and re1 are the network interfaces.
Reply With Quote