Hi there, I've been running my 4.6 firewall since release. I'm now going to do a fresh install.
I need a little bit of help replacing rdr with match rules etc.
Below is my edited 4.6 pf.conf for 4.9:
Code:
intIF = "rl0"
extIF = "vr0"
##### States Queues #####
synState="flags S/SA synproxy state"
tcpState="flags S/SA modulate state"
udpState="keep state"
##### Ports #####
# P2 #
p2ports = "{ 80, 20, 21, 49163:49173, 58939 }"
# ICMP #
icmpTypes = "echoreq unreach"
# PC #
pcports = "{ 58938 }"
##### LAN Info #####
# Local #
myNet = "192.168.1.0/24"
# P2 #
p2 = "192.168.1.3"
# PC #
pc = "192.168.1.2"
##### Banned #####
#fIP = "{}"
##### Block Timeout #####
#set ruleset-optimization none
set debug urgent
set block-policy return
set optimization normal
set fingerprints "/etc/pf.os"
set timeout { frag 10, tcp.established 3600 }
set timeout { tcp.first 30, tcp.closing 10, tcp.closed 10, tcp.finwait 10 }
set timeout { udp.first 30, udp.single 30, udp.multiple 30 }
set timeout { other.first 30, other.single 30, other.multiple 30 }
set timeout { adaptive.start 5000, adaptive.end 10000 }
set limit { states 100000, frags 100000, src-nodes 50000 }
set skip on lo0
##### Scrub #####
#scrub log on $extIF all random-id min-ttl 128 max-mss 1460 set-tos\
throughput reassemble tcp fragment reassemble
##### NAT #####
#match out on $extIF inet from $xbox360 to any -> $extIF static-port
match out on $extIF from $myNet nat-to ($extIF)
##### Block #####
block log all
antispoof log quick for { $extIF, $intIF }
##### Ban's #####
#block in quick on $intIF from $fIP to any
##### PASS #####
# ICMP #
pass log inet proto icmp all icmp-type echoreq $udpState
pass log inet proto icmp all icmp-type unreach $udpState
# Allow P2 #
pass in log on $extIF inet proto tcp from any to any port $p2ports $synState
pass out log on $extIF inet proto tcp from any to any port $p2ports $synState
# Allow pc #
pass in log quick on $extIF inet proto tcp from any to $pc port $pcports
pass out log quick on $extIF inet proto tcp from $pc to port $pcports
# Allow outgoing #
pass out log on $extIF inet proto tcp all $tcpState
pass out log on $extIF inet proto { udp, icmp } all $udpState
# Allow LAN #
pass in log on $intIF from $intIF:network to any keep state
pass out log on $intIF from any to $intIF:network keep state
I'm pretty sure I'm missing some bits now, as i've removed the old rdr rules etc.
Just need some advise on what rules I need to add to my pf.conf.
Regards
Scott