Views
From digital-bit.ch's wiki
Attention - deprecated syntax, read: http://marc.info/?l=openbsd-misc&m=125181847818600
# pf-pppoe.conf - Firewallrules
# thanks to google, sh0 and s. m.
# setting interfacecrap
internal = "rl0"
outworld = "tun0"
unsecure = "{ tun0, rl0 }"
# defining some users and ports for queue and ftp foo
t4c = "10.13.37.2"
mosez = "10.13.37.4"
duke = "10.13.37.7"
local_net = "10.13.37.0/24"
ftp_ports = "{ 21 666 }"
ssh_ports = "{ 22 26823 }"
# Non-routable IPs
nonroutable = "{ 192.168.0.0/16, 127.0.0.0/8, 172.16.0.0/12, 10.0.0.0/8,
0.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 204.152.64.0/23, 224.0.0.0/3,
255.255.255.255/32 }"
# Fix fragmented packets
scrub in all
# creating packet queues the 2nd try goese here
altq on $outworld priq bandwidth 640Kb queue { std_out, ssh_out, dns_out, tcp_ack_out }
# defining some child queues:
# std_out - standard out queue
# ssh_out - interactive ssh traffic
# dns_out - hum? dunno 8)_
# tcp_ack_out - TCP ACK with no payload
queue std_out priq(default)
queue ssh_out priority 4 priq(red)
queue dns_out priority 5
queue tcp_ack_out priority 6
# creating packet queue for internal interface
altq on $internal cbq bandwidth 7Mb queue { std_in, ssh_in, dns_in, t4c_in, mo_in, duke_in }
# defining some childs again:
# std_in - standard in queue
# ssh_in - interactic ssh traffic
# dns_in - dough!
# {t4c|mo|duke}_in - queues for alwayonliners
queue std_in bandwidth 1.5Mb cbq(default borrow)
queue ssh_in bandwidth 300Kb priority 4
queue dns_in bandwidth 200Kb priority 5
queue t4c_in bandwidth 2Mb cbq(borrow)
queue mo_in bandwidth 2Mb cbq(borrow)
queue duke_in bandwidth 1Mb cbq(borrow)
# natting here, sh0 da master
nat on $outworld from $local_net to any -> $outworld
rdr on $internal proto tcp from any to any port $ftp_ports -> 127.0.0.1 port 8021
# no loopback and internal
pass out quick on lo0 from any to any
pass in quick on lo0 from any to any
pass out quick on $internal from any to any
pass in quick on $internal from any to any
# enable active ftp
pass in on $outworld inet proto tcp from port 20 to ($outworld) user proxy flags S/SA keep state
# getting rid of some shitty packets
# spoofing and stop sending to nonroutables
block in log quick on $unsecure inet proto icmp from any to any icmp-type redir
block in quick on $outworld from $nonroutable to any
block out quick on $outworld from any to $nonroutable
# ICMP 8)_ I only like ping and traceroutes
pass in quick on $unsecure inet proto icmp from any to any icmp-type { echorep, echoreq, timex, unreach }
block in log quick on $unsecure inet proto icmp from any to any
# filter and queue rules for outworld
pass out on $outworld inet proto tcp from any to any flags S/SA keep state queue(std_out, tcp_ack_out)
pass out on $outworld inet proto { udp icmp } from any to any keep state
pass out on $outworld inet proto { tcp udp } from any to any port domain keep state queue dns_out
pass out on $outworld inet proto tcp from any to any port $ssh_ports flags S/SA keep state queue(std_out, ssh_out)
# filter and queue rules for internal
pass in on $internal from $local_net
pass out on $internal from any to $local_net
pass out on $internal proto { tcp udp } from any port domain to $local_net queue dns_in
pass out on $internal proto tcp from any port $ssh_ports to $local_net queue(std_in, ssh_in)
pass out on $internal from any to $t4c queue t4c_in
pass out on $internal from any to $mosez queue mo_in
pass out on $internal from any to $duke queue duke_in
# eor, block all ports all protos and give some RST or Port unreachable
block return-rst in log quick on $unsecure inet proto tcp from any to any
block return-icmp in log quick on $unsecure inet proto udp from any to any
block in quick on $unsecure all
BlogMarks
del.icio.us
digg
Slashdot
