Original s OBSD 4.0
# cat /etc/pf.conf# $RuOBSD: pf.conf,v 1.10 2006/04/22 16:38:09 form Exp $
# izmeneno i adaptirovano dla gards.lv
# A. Vinogradov aka slepnoga 4.01.2007
# gentoo@tau.lv
# Primer nastrojki PF dlya marshrutizatora s translyaciej adresov
# zavoracivaem ves www na squid+sarg po prosbe rukovodstava
# firmi dla otceta po sotrudnikam :)
# advanser uzeram zarezem www mimo proxy
# snaruzi dostupno tolko smtp i ssh
# politika icmp zavisit ot nastroenija :)
# WAN LAN
# | +------------+
# | | |
# +-rl0----fxp0+ +----------------+
# | | | 10.10.10.0\24 |
# +------------+ +----------------+
# Vneshnij i vnutrennij interfejsy.
#
ext_if = "rl0"
int_if = "fxp0"
lo = "lo0"
squid = "3128"
# TCP/UDP servisy, obsluzhivaemye marshrutizatorom.
#
tcp_svc = " ssh smtp www pop3 "
udp_svc = "domain"
# TCP servisy, obsluzhivaemye vnutrennim serverom.
#
#tcp_rdr = "3389"
#host_rdr = "10.10.10.2"
# Tablicy chernogo i belogo spiskov dlya spamd.
#
#table <spamd> persist
#table <spamd-white> persist
#3333333333333333333333333333333333333333333
set fingerprints "/etc/pf.os"
set loginterface $ext_if
set debug urgent
set block-policy drop
set skip on lo0
# Vypolnit' normalizaciyu vseh paketov.
scrub in on ! $lo all fragment reassemble
# Translirovat' vnutrennie adresa v (osnovnoj) adres vneshnego interfejsa.
#
#nat on $int_if inet proto tcp to port www -> $int_if
nat on $ext_if from !($ext_if) -> ($ext_if:0)
# Podklyuchit' nat/rdr pravila, sozdavaemye ftp-proxy (dlya OpenBSD 3.9 i novee).
#
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
# rdr pass
# Propustit' FTP cherez transparent proxy.
#
rdr on $int_if proto tcp to !(self) port ftp -> 127.0.0.1 port 8021
# Perenapravit' adresa iz chernogo spiska v spamd.
#
#rdr pass on $ext_if proto tcp from <spamd> to port smtp \
# -> 127.0.0.1 port spamd
# Perenapravit' adresa, ne vhodyashchie v belyj spisok v spamd (ispol'zuetsya
# v rezhime greylist.
#
#rdr pass on $ext_if proto tcp from !<spamd-white> to port smtp \
# -> 127.0.0.1 port spamd
# Pereadresovat' TCP servisy, obsluzhivaemye vnutrennim serverom.
#
#rdr pass on $ext_if proto tcp to port { $tcp_rdr } -> $host_rdr
#pereadresacija na proxy-server squid iz vn. setii
rdr on $int_if inet proto tcp to port www -> 127.0.0.1 port $squid
# Zashchita ot IP spoofing.
#
pass quick on { lo $int_if }
antispoof log quick for $ext_if
# Podklyuchit' pravila, sozdavaemye ftp-proxy (dlya OpenBSD 3.9 i novee).
#
anchor "ftp-proxy/*"
# Po umolchaniyu blokirovat' vse na vneshnem interfejse. Dlya TCP soedinenij
# vozvrashchat "molca glushim"
#
block on $ext_if
# blkiruem skan NMAPom :)
block in quick from any os NMAP
# Razreshit' ishodyashchie ICMP ping pakety, lyuboj UDP trafik i TCP soedineniya.
#
pass out on $ext_if inet proto icmp icmp-type echoreq code 0 keep state
pass out on $ext_if proto udp keep state
pass out on $ext_if proto tcp flags S/SA keep state
# Razreshit' vhodyashchie ICMP ping pakety, obsluzhivaemye UDP i TCP servisy.
#
pass in on $ext_if inet proto icmp icmp-type echoreq code 0 keep state
#pass in on $ext_if proto udp to port { $udp_svc } keep state
pass in on $ext_if proto tcp to port { $tcp_svc } flags S/SA synproxy state
anchor "ftp-proxy/*"
# Razreshit' vhodyashchie TCP soedineniya dlya FTP proxy.
pass in on $ext_if proto tcp to port > 49151 flags S/SA user proxy keep state
# nano /etc/pf.conf
# cat /etc/pf.conf
# $RuOBSD: pf.conf,v 1.10 2006/04/22 16:38:09 form Exp $
# izmeneno i adaptirovano dla gards
# A.Vinogradov aka slepnoga 01.2007
#
# Primer nastrojki PF dlya marshrutizatora s translyaciej adresov
# zavoracivaem ves www na squid+sarg po prosbe rukovodstava
# firmi dla otceta po sotrudnikam :)
# advanser uzeram zarezem www mimo proxy
# snaruzi dostupno tolko smtp i ssh
# politika icmp zavisit ot nastroenija :)
# WAN LAN
# | +------------+
# | | |
# +-rl0----fxp0+ +----------------+
# | | | 10.10.10.0\24 |
# +------------+ +----------------+
# Vneshnij i vnutrennij interfejsy.
#
ext_if = "rl0"
int_if = "fxp0"
lo = "lo0"
squid = "3128"
# TCP/UDP servisy, obsluzhivaemye marshrutizatorom.
#
tcp_svc = " ssh smtp www pop3 "
udp_svc = "domain"
# TCP servisy, obsluzhivaemye vnutrennim serverom.
#
#tcp_rdr = "3389"
#host_rdr = "10.10.10.2"
# Tablicy chernogo i belogo spiskov dlya spamd.
#
#table <spamd> persist
#table <spamd-white> persist
#3333333333333333333333333333333333333333333
set fingerprints "/etc/pf.os"
set loginterface $ext_if
set debug urgent
set block-policy drop
set skip on lo0
# Vypolnit' normalizaciyu vseh paketov.
scrub in on ! $lo all fragment reassemble
# Translirovat' vnutrennie adresa v (osnovnoj) adres vneshnego interfejsa.
#
#nat on $int_if inet proto tcp to port www -> $int_if
nat on $ext_if from !($ext_if) -> ($ext_if:0)
# Podklyuchit' nat/rdr pravila, sozdavaemye ftp-proxy (dlya OpenBSD 3.9 i novee).
#
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
# rdr pass
# Propustit' FTP cherez transparent proxy.
#
rdr on $int_if proto tcp to !(self) port ftp -> 127.0.0.1 port 8021
# Perenapravit' adresa iz chernogo spiska v spamd.
#
#rdr pass on $ext_if proto tcp from <spamd> to port smtp \
# -> 127.0.0.1 port spamd
# Perenapravit' adresa, ne vhodyashchie v belyj spisok v spamd (ispol'zuetsya
# v rezhime greylist.
#
#rdr pass on $ext_if proto tcp from !<spamd-white> to port smtp \
# -> 127.0.0.1 port spamd
# Pereadresovat' TCP servisy, obsluzhivaemye vnutrennim serverom.
#
#rdr pass on $ext_if proto tcp to port { $tcp_rdr } -> $host_rdr
#pereadresacija na proxy-server squid iz vn. setii
rdr on $int_if inet proto tcp to port www -> 127.0.0.1 port $squid
# Zashchita ot IP spoofing.
#
pass quick on { lo $int_if }
antispoof log quick for $ext_if
# Podklyuchit' pravila, sozdavaemye ftp-proxy (dlya OpenBSD 3.9 i novee).
#
anchor "ftp-proxy/*"
# Po umolchaniyu blokirovat' vse na vneshnem interfejse. Dlya TCP soedinenij
# vozvrashchat "molca glushim"
#
block on $ext_if
# blkiruem skan NMAPom :)
block in quick from any os NMAP
# Razreshit' ishodyashchie ICMP ping pakety, lyuboj UDP trafik i TCP soedineniya.
#
pass out on $ext_if inet proto icmp icmp-type echoreq code 0 keep state
pass out on $ext_if proto udp keep state
pass out on $ext_if proto tcp flags S/SA keep state
# Razreshit' vhodyashchie ICMP ping pakety, obsluzhivaemye UDP i TCP servisy.
#
pass in on $ext_if inet proto icmp icmp-type echoreq code 0 keep state
#pass in on $ext_if proto udp to port { $udp_svc } keep state
pass in on $ext_if proto tcp to port { $tcp_svc } flags S/SA synproxy state
anchor "ftp-proxy/*"
# Razreshit' vhodyashchie TCP soedineniya dlya FTP proxy.
pass in on $ext_if proto tcp to port > 49151 flags S/SA user proxy keep state
#
Версия для распечатки
NAT с помощью pf FreeBSD 6.1, 
mansell66, 17-Янв-07, 15:14 [смотреть все]
