/etc/pf.conf
#
# Firewall for Home or Small Office
# http://www.openbsd.org/faq/pf/example1.html
#
# macros
int_if = "vr0"
ext_if = "vr1"
ports_fw = "{ ssh,echo,auth,11750 }"
ports_web = "{ www,https }"
icmp_types = "{ echoreq, unreach }"
priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
web_server = "{ 192.168.0.2 }"
black_list = "{ 86.68.57.234 }"
# options
set block-policy return
set loginterface $ext_if
set require-order yes
set optimization normal
# scrub
scrub in all fragment reassemble random-id
scrub out on $ext_if max-mss 1440
# NAT
nat on $ext_if from !($ext_if) -> ($ext_if)
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
# Redirect. ftp-proxy and web_server
rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021
rdr on $ext_if proto tcp from any to any port www -> $web_server
# Default policy. Block all incoming (ext and int), but
# allow all outgoing traffic from incoming connections
# pass quick all # Allow all traffic (only for testing!)
block in
pass out keep state
# Anchor
anchor "ftp-proxy/*"
# RFC 1918
block drop in quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets
# Blacklist
block in quick on $ext_if from $black_list to any
# Antispoof
antispoof quick for { lo $int_if }
# Loopback
pass quick on lo0 all
#
# Allow
# * ports_fw connections to firewall
# * ports_web to web server
# * ICMP
# Pass rules are applied to incoming traffic on ext_if.
# All traffic though int_if is passed.
#
pass in on $ext_if inet proto tcp from any to ($ext_if) port $ports_fw \
flags S/SA keep state
pass in on $ext_if inet proto tcp from any to $web_server port $ports_web \
flags S/SA synproxy state
pass in inet proto icmp all icmp-type $icmp_types keep state
pass quick on $int_if
