|
|||
PF Help 4.6 to 4.7
Hi there, I've been running my 4.6 firewall since release. I'm now going to do a fresh install.
I need a little bit of help replacing rdr with match rules etc. Below is my edited 4.6 pf.conf for 4.9: Code:
intIF = "rl0" extIF = "vr0" ##### States Queues ##### synState="flags S/SA synproxy state" tcpState="flags S/SA modulate state" udpState="keep state" ##### Ports ##### # P2 # p2ports = "{ 80, 20, 21, 49163:49173, 58939 }" # ICMP # icmpTypes = "echoreq unreach" # PC # pcports = "{ 58938 }" ##### LAN Info ##### # Local # myNet = "192.168.1.0/24" # P2 # p2 = "192.168.1.3" # PC # pc = "192.168.1.2" ##### Banned ##### #fIP = "{}" ##### Block Timeout ##### #set ruleset-optimization none set debug urgent set block-policy return set optimization normal set fingerprints "/etc/pf.os" set timeout { frag 10, tcp.established 3600 } set timeout { tcp.first 30, tcp.closing 10, tcp.closed 10, tcp.finwait 10 } set timeout { udp.first 30, udp.single 30, udp.multiple 30 } set timeout { other.first 30, other.single 30, other.multiple 30 } set timeout { adaptive.start 5000, adaptive.end 10000 } set limit { states 100000, frags 100000, src-nodes 50000 } set skip on lo0 ##### Scrub ##### #scrub log on $extIF all random-id min-ttl 128 max-mss 1460 set-tos\ throughput reassemble tcp fragment reassemble ##### NAT ##### #match out on $extIF inet from $xbox360 to any -> $extIF static-port match out on $extIF from $myNet nat-to ($extIF) ##### Block ##### block log all antispoof log quick for { $extIF, $intIF } ##### Ban's ##### #block in quick on $intIF from $fIP to any ##### PASS ##### # ICMP # pass log inet proto icmp all icmp-type echoreq $udpState pass log inet proto icmp all icmp-type unreach $udpState # Allow P2 # pass in log on $extIF inet proto tcp from any to any port $p2ports $synState pass out log on $extIF inet proto tcp from any to any port $p2ports $synState # Allow pc # pass in log quick on $extIF inet proto tcp from any to $pc port $pcports pass out log quick on $extIF inet proto tcp from $pc to port $pcports # Allow outgoing # pass out log on $extIF inet proto tcp all $tcpState pass out log on $extIF inet proto { udp, icmp } all $udpState # Allow LAN # pass in log on $intIF from $intIF:network to any keep state pass out log on $intIF from any to $intIF:network keep state Just need some advise on what rules I need to add to my pf.conf. Regards Scott |
|
|||
I can't help you but I remembered ttp://serverfault.com/questions/175405/help-me-upgrade-my-pf-conf-for-openbsd-4-7 this thread and decided you'd be a valid recipient for it. Good luck.
However, I'm not allowed to post URLs so I've broken it. Please just copy and paste it. |
|
|