mirror of
https://github.com/fwbuilder/fwbuilder
synced 2025-10-16 15:38:43 +02:00
6a9fdbf3af
should use "(interface)" syntax to the right of "->" in NAT rules. This now works for all interfaces, including those that have ip addresses in fwbuilder configuration, when interface object appears in "Translated Source" in a nat rule. When firewall object appears in "Translated Source", it gets replaced with a set of its interfaces which also get translated into "-> (interface)".
76 lines
3.0 KiB
Plaintext
76 lines
3.0 KiB
Plaintext
|
|
|
|
|
|
|
|
# Tables: (4)
|
|
table <block these> persist file "block-hosts.tbl"
|
|
table <spammers> persist
|
|
table <tbl.r0.d> { 192.168.1.1 , 192.168.1.2 , 192.168.1.3/30 , 192.168.1.200 , 192.168.1.201 , 192.168.2.128/25 }
|
|
table <tbl.r1> { 7.7.7.7 , 61.150.47.112 , 192.168.1.1 , 192.168.1.2 , 192.168.1.3/30 , 192.168.1.200 , 192.168.1.201 , 192.168.2.128/25 }
|
|
|
|
#
|
|
# Rule 0 (NAT)
|
|
rdr on eth0.100 proto tcp from ! <block these> to (eth0.100) port 25 -> 192.168.1.10 port 25
|
|
#
|
|
# Rule 1 (NAT)
|
|
rdr on eth0.100 proto tcp from <block these> to (eth0.100) port 25 -> 192.168.1.10 port 25
|
|
rdr on eth0.100 proto tcp from <tbl.r1> to (eth0.100) port 25 -> 192.168.1.10 port 25
|
|
#
|
|
# Rule 2 (NAT)
|
|
nat on eth0.100 proto {tcp udp icmp} from 192.168.1.0/24 to ! <block these> -> (eth0.100)
|
|
#
|
|
# Rule 3 (NAT)
|
|
rdr proto tcp from any to (eth0.100) port 25 -> { 192.168.1.1 , 192.168.1.2 , 192.168.1.200 , 192.168.1.201 , 192.168.1.3/30 , 192.168.2.128/25 } port 25
|
|
#
|
|
# Rule 4 (NAT)
|
|
rdr proto {tcp udp icmp} from any to (eth0.100) -> { 192.168.1.1 , 192.168.1.2 , 192.168.1.200 , 192.168.1.201 , 192.168.1.3/30 , 192.168.2.128/25 }
|
|
#
|
|
# Rule 5 (NAT)
|
|
no nat proto {tcp udp icmp} from 192.168.1.0/24 to <block these>
|
|
no rdr proto {tcp udp icmp} from 192.168.1.0/24 to <block these>
|
|
#
|
|
# Rule 6 (NAT)
|
|
rdr proto {tcp udp icmp} from 192.168.1.0/24 to <block these> -> (lo)
|
|
|
|
#
|
|
# Rule 0 (global)
|
|
pass quick inet from any to <tbl.r0.d> keep state label "RULE 0 -- ACCEPT on global "
|
|
#
|
|
# Rule 1 (global)
|
|
block log quick inet from any to <block these> label "RULE 1 -- DROP on global "
|
|
#
|
|
# Rule 2 (global)
|
|
block log quick inet from any to <block these> label "RULE 2 -- DROP on global "
|
|
block log quick inet from any to <tbl.r1> label "RULE 2 -- DROP on global "
|
|
#
|
|
# Rule 3 (global)
|
|
block log quick inet from any to <tbl.r0.d> label "RULE 3 -- DROP on global "
|
|
#
|
|
# Rule 4 (global)
|
|
block log quick inet from <spammers> to any label "RULE 4 -- DROP on global "
|
|
#
|
|
# Rule 5 (global)
|
|
block quick inet proto tcp from any to <block these> port 25 label "RULE 5 -- DROP on global "
|
|
block quick inet proto tcp from any to 61.150.47.112 port 25 label "RULE 5 -- DROP on global "
|
|
#
|
|
# Rule 6 (global)
|
|
block log quick inet from <block these> to any label "RULE 6 -- DROP on global "
|
|
#
|
|
# Rule 7 (global)
|
|
block log quick inet from <block these> to any label "RULE 7 -- DROP on global "
|
|
block log quick inet from 61.150.47.112 to any label "RULE 7 -- DROP on global "
|
|
#
|
|
# Rule 9 (global)
|
|
pass quick inet proto tcp from any to 192.168.1.10 port 25 keep state ( max-src-conn 5, overload <spammers> flush global ) label "RULE 9 -- ACCEPT on global "
|
|
#
|
|
# Rule 10 (global)
|
|
pass quick inet from 192.168.1.0/24 to any keep state label "RULE 10 -- ACCEPT on global "
|
|
#
|
|
# Rule 11 (global)
|
|
block log quick inet from any to any label "RULE 11 -- DROP on global "
|
|
#
|
|
# Rule fallback rule
|
|
# fallback rule
|
|
block quick inet from any to any label "RULE 10000 -- DROP on global "
|
|
|