after long time I find new job , and they want me I make NAT server for internet sharing . so I want use FreeBSD with PF,
they want me only make NAT and do not block ports , they want all ports must be open , and they want only NAT , and do not want block by PF , can I use these rules for make NAT only or no
please help me to improve this rule
Code:
ns# cat /usr/local/pf/pf.conf
# $FreeBSD: src/share/examples/pf/faq-example1,v 1.1 2004/09/14 01:07:18 mlaier Exp $
# $OpenBSD: faq-example1,v 1.2 2003/08/06 16:04:45 henning Exp $
# Edited by: mfaridi
################################ MACROS ############################################################
ext_if = "sk0"
int_if = "re0"
External_net = "10.10.10.192/27"
Local_net = "192.168.0.0/24"
Local_Web = "192.168.0.10"
Local_Srv = "192.168.0.1"
Prtcol = "{ tcp, udp }"
Admin_IP = "{ 10.10.10.192/27, 11.11.11.0/21, 12.12.12.0/18 }"
ICMP_Types = "{ echorep, unreach, squench, echoreq, timex }"
#Define ports for common internet services
#TCP_SRV = "{ 25, 53, 80, 110, 143, 443, 465, 587, 993, 995, 8443 }"
#UDP_SRV = "{ 53 }"
TCP_SRV = "{ 80, 443 }"
UDP_SRV = "{ }"
Samba_TCP = "{ 139, 445 }"
Samba_UDP = "{ 137, 138 }"
SERVER = "10.10.10.200"
NAT1 = "10.10.10.194"
NAT2 = "10.10.10.195"
NAT3 = "10.10.10.196"
NAT4 = "10.10.10.197"
NAT5 = "10.10.10.198"
NAT6 = "10.10.10.199"
NAT7 = "10.10.10.201"
NAT8 = "10.10.10.202"
NAT9 = "10.10.10.203"
NAT10 = "10.10.10.204"
NAT11 = "10.10.10.205"
NAT12 = "10.10.10.206"
NAT13 = "10.10.10.207"
NAT14 = "10.10.10.208"
NAT15 = "10.10.10.209"
NAT16 = "10.10.10.210"
NAT17 = "10.10.10.211"
NAT18 = "10.10.10.212"
NAT19 = "10.10.10.213"
NAT20 = "10.10.10.214"
NAT21 = "10.10.10.215"
NAT22 = "10.10.10.216"
NAT23 = "10.10.10.217"
NAT24 = "10.10.10.218"
NAT25 = "10.10.10.219"
#### All IP of Groups which can be connect to Internet
paltalk1 = "{ 192.168.0.20, 192.168.0.21, 192.168.0.22 }"
paltalk2 = "{ 192.168.0.23, 192.168.0.24, 192.168.0.25 }"
paltalk3 = "{ 192.168.0.26, 192.168.0.27, 192.168.0.28, 192.168.0.29 }"
webdsgn1 = "{ 192.168.0.30, 192.168.0.31, 192.168.0.32 }"
webdsgn2 = "{ 192.168.0.33, 192.168.0.34, 192.168.0.35 }"
webdsgn3 = "{ 192.168.0.36, 192.168.0.37, 192.168.0.38 }"
webdsgn4 = "{ 192.168.0.39, 192.168.0.40, 192.168.0.41 }"
webdsgn5 = "{ 192.168.0.42, 192.168.0.43, 192.168.0.44 }"
webdsgn6 = "{ 192.168.0.45, 192.168.0.46, 192.168.0.47 }"
webdsgn7 = "{ 192.168.0.48, 192.168.0.49, 192.168.0.50 }"
webdsgn8 = "{ 192.168.0.51, 192.168.0.52, 192.168.0.53, 192.168.0.54 }"
rased1 = "{ 192.168.0.60, 192.168.0.61, 192.168.0.62 }"
rased2 = "{ 192.168.0.63, 192.168.0.64, 192.168.0.65 }"
rased3 = "{ 192.168.0.66, 192.168.0.67, 192.168.0.68 }"
rased4 = "{ 192.168.0.69, 192.168.0.70 }"
rased5 = "{ 192.168.0.200, 192.168.0.201, 192.168.0.202, 192.168.0.203, 192.168.0.204, 192.168.0.205 }"
rased6 = "{ 192.168.0.206, 192.168.0.207, 192.168.0.208, 192.168.0.209, 192.168.0.210, 192.168.0.211 }"
rased7 = "{ 192.168.0.212, 192.168.0.213, 192.168.0.214, 192.168.0.215, 192.168.0.216, 192.168.0.217 }"
rased8 = "{ 192.168.0.218, 192.168.0.219, 192.168.0.220, 192.168.0.221, 192.168.0.222, 192.168.0.223, 192.168.0.224, 192.168.0.225 }"
admin1 = "{ 192.168.0.55, 192.168.0.56, 192.168.0.57 }"
admin2 = "{ 192.168.0.58, 192.168.0.59 }"
############################### TABLES ############################################################
#Define privileged network address sets
table <priv_nets> const { 127.0.0.0/8, 192.168.0.0/16, 13.13.0.0/12, 10.0.0.0/8, 0.0.0.0/8, \
14.14.0.0/16, 192.0.2.0/24, 15.15.15.0/23, 224.0.0.0/3 }
table <badguys> persist file "/usr/local/pf/Network/blocklist.lst"
table <hackers> persist file "/usr/local/pf/Network/hackers.lst"
#Define Favoured client hosts
table <Admin> persist file "/usr/local/pf/Network/Admin.lst"
table <Paltalk> persist file "/usr/local/pf/Network/Paltalk.lst"
table <WebDsgn> persist file "/usr/local/pf/Network/WebDsgn.lst"
table <Rased> persist file "/usr/local/pf/Network/Rased.lst"
table <LocalHost> const { self }
############################### OPTIONS ############################################################
#Default behaviour
set timeout { interval 10, frag 30 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
set timeout { adaptive.start 0, adaptive.end 0 }
set limit { states 10000, frags 5000 }
set loginterface $ext_if
set optimization normal
set block-policy drop
set require-order yes
set fingerprints "/etc/pf.os"
set skip on lo0
#set state-policy if-bound
############################### TRAFFIC NORMALIZATION ##############################################
#Filter traffic for unusual packets
scrub in all
############################### TRANSLATION ######################################################
#NAT for the external traffic
#Mask internal ip addresses with actual external ip address
#nat pass on $ext_if from $Local_net to any -> $SERVER
nat pass on $ext_if from $paltalk1 to any -> $NAT1
nat pass on $ext_if from $paltalk2 to any -> $NAT2
nat pass on $ext_if from $paltalk3 to any -> $NAT3
nat pass on $ext_if from $webdsgn1 to any -> $NAT4
nat pass on $ext_if from $webdsgn2 to any -> $NAT5
nat pass on $ext_if from $webdsgn3 to any -> $NAT6
nat pass on $ext_if from $webdsgn4 to any -> $NAT7
nat pass on $ext_if from $webdsgn5 to any -> $NAT8
nat pass on $ext_if from $webdsgn6 to any -> $NAT9
nat pass on $ext_if from $webdsgn7 to any -> $NAT10
nat pass on $ext_if from $webdsgn8 to any -> $NAT11
nat pass on $ext_if from $rased1 to any -> $NAT12
nat pass on $ext_if from $rased2 to any -> $NAT13
nat pass on $ext_if from $rased3 to any -> $NAT14
nat pass on $ext_if from $rased4 to any -> $NAT15
nat pass on $ext_if from $rased5 to any -> $NAT16
nat pass on $ext_if from $rased6 to any -> $NAT17
nat pass on $ext_if from $rased7 to any -> $NAT18
nat pass on $ext_if from $rased8 to any -> $NAT19
nat pass on $ext_if from $admin1 to any -> $NAT20
nat pass on $ext_if from $admin2 to any -> $NAT21
#rdr on $ext_if proto tcp from $Admin_IP to $SERVER port 5900 -> 192.168.0.100 port 5900
#rdr on $ext_if proto tcp from $Admin_IP to $SERVER port 2222 -> 192.168.0.50 port 22
############################### PACKET FILTERING #################################################
# Default Rule
pass quick on { $ext_if, $int_if } all keep state
# End of File: pf.conf
can I use this rule for NAT ?
I want only NAT and I do not want another thing like block torrent ports or something else
I would be grateful if you can help my to modify this rule , I think this rule has a lot of problems
do you think I need add some rules to this rules or no ?
for has better NAT with high performance , what I must do ?