fwbuilder/test/pf/firewall1.conf.orig

#
# Prolog script
#
# prolog:
# some pf command at the very top of the .conf file goes here



#
# End of prolog script
#


#
# Scrub rules
#
scrub in all fragment reassemble


# Tables: (6)
table <tbl.r0.s> { 22.22.22.22 , 192.168.1.1 } 
table <tbl.r11> { 192.168.1.10 , 192.168.1.20 } 
table <tbl.r11.s> { 22.22.22.22 , 22.22.23.23 , 192.168.1.1 , 192.168.2.0/24 , 192.168.2.1 } 
table <tbl.r16> { 33.33.33.0/24 , 33.33.44.0/24 } 
table <tbl.r7> { 192.168.1.0/24 , 192.168.2.0/24 } 
table <tbl.r9> { 22.22.22.22 , 22.22.23.23 , 192.168.1.1 , 192.168.2.1 } 

# 
# Rule  0 (NAT)
no nat proto {tcp udp icmp} from 192.168.1.0/24 to 192.168.2.0/24 
no rdr proto {tcp udp icmp} from 192.168.1.0/24 to 192.168.2.0/24 
# 
# Rule  1 (NAT)
nat proto {tcp udp icmp} from 192.168.1.10 to any -> 22.22.22.23 
# 
# Rule  2 (NAT)
nat proto {tcp udp icmp} from ! 192.168.1.0/24 to 200.200.200.200 -> 22.22.22.23 
# 
# Rule  3 (NAT)
nat on eth0 proto {tcp udp icmp} from 192.168.1.0/24 to any -> 192.168.1.1 
nat on eth1 proto {tcp udp icmp} from 192.168.1.0/24 to any -> 22.22.22.22 
nat on eth2 proto {tcp udp icmp} from 192.168.1.0/24 to any -> 192.168.2.1 
nat on eth3 proto {tcp udp icmp} from 192.168.1.0/24 to any -> 22.22.23.23 
# 
# Rule  4 (NAT)
nat on eth1 proto {tcp udp icmp} from 192.168.1.0/24 to any -> 22.22.22.22 
nat on eth3 proto {tcp udp icmp} from 192.168.1.0/24 to any -> 22.22.23.23 
# 
# Rule  5 (NAT)
# more examples
# of NAT rules with
# multiple objects in TSrc
# in firewall3
nat proto {tcp udp icmp} from 192.168.1.0/24 to any -> { 22.22.22.50 , 22.22.22.51 } 
# 
# Rule  6 (NAT)
nat on eth0 proto {tcp udp icmp} from 192.168.1.0/24 to ! 192.168.2.0/24 -> 192.168.1.1 
nat on eth1 proto {tcp udp icmp} from 192.168.1.0/24 to ! 192.168.2.0/24 -> 22.22.22.22 
nat on eth2 proto {tcp udp icmp} from 192.168.1.0/24 to ! 192.168.2.0/24 -> 192.168.2.1 
nat on eth3 proto {tcp udp icmp} from 192.168.1.0/24 to ! 192.168.2.0/24 -> 22.22.23.23 
# 
# Rule  7 (NAT)
nat on eth0 proto {tcp udp icmp} from 192.168.1.0/24 to ! <tbl.r7> -> 192.168.1.1 
nat on eth1 proto {tcp udp icmp} from 192.168.1.0/24 to ! <tbl.r7> -> 22.22.22.22 
nat on eth2 proto {tcp udp icmp} from 192.168.1.0/24 to ! <tbl.r7> -> 192.168.2.1 
nat on eth3 proto {tcp udp icmp} from 192.168.1.0/24 to ! <tbl.r7> -> 22.22.23.23 
# 
# Rule  8 (NAT)
nat on eth0 proto {tcp udp icmp} from ! 192.168.2.0/24 to any -> 192.168.1.1 
nat on eth1 proto {tcp udp icmp} from ! 192.168.2.0/24 to any -> 22.22.22.22 
nat on eth2 proto {tcp udp icmp} from ! 192.168.2.0/24 to any -> 192.168.2.1 
nat on eth3 proto {tcp udp icmp} from ! 192.168.2.0/24 to any -> 22.22.23.23 
# 
# Rule  9 (NAT)
rdr proto tcp from 192.168.1.0/24 to ! <tbl.r9> port 80 -> 127.0.0.1 port 3128 
# 
# Rule  10 (NAT)
rdr proto tcp from 192.168.1.0/24 to ! 192.168.1.1 port 80 -> 127.0.0.1 port 3128 
# 
# Rule  11 (NAT)
rdr proto tcp from <tbl.r11> to ! <tbl.r7> port 80 -> 127.0.0.1 port 3128 
# 
# Rule  12 (NAT)
rdr proto tcp from 192.168.1.0/24 to ! <tbl.r7> port 80 -> 127.0.0.1 port 3128 
rdr proto tcp from 192.168.1.0/24 to ! <tbl.r7> port 81 -> 127.0.0.1 port 3128 
# 
# Rule  13 (NAT)
rdr proto tcp from 192.168.1.0/24 to ! <tbl.r7> port 80 -> 192.168.2.200 port 3128 
rdr proto tcp from 192.168.1.0/24 to ! <tbl.r7> port 81 -> 192.168.2.200 port 3128 
# 
# Rule  14 (NAT)
rdr proto tcp from ! <tbl.r11> to <tbl.r7> port 80 -> 127.0.0.1 port 3128 
# 
# Rule  15 (NAT)
rdr proto tcp from ! 192.168.1.10 to any port 80 -> 127.0.0.1 port 3128 
# 
# Rule  16 (NAT)
rdr on eth1 proto tcp from <tbl.r16> to 22.22.22.22 port 80 -> 192.168.1.10 port 80 

# Policy compiler errors and warnings:
# firewall1:Policy:10: warning: Changing rule direction due to self reference
# firewall1:Policy:18: warning: Changing rule direction due to self reference
# 
# Rule  0 (eth0)
block  log  quick on eth0 inet proto icmp  from <tbl.r0.s>  to ! <tbl.r0.s> 
block  log  quick on eth0 inet proto 50  from <tbl.r0.s>  to ! <tbl.r0.s> 
# 
# Rule  1 (eth0)
block  quick on eth0 inet proto icmp  from <tbl.r11>  to ! <tbl.r11> 
block  quick on eth0 inet proto 50  from <tbl.r11>  to ! <tbl.r11> 
# 
# Rule  2 (eth1)
# Anti-spoofing rule
block in   log  quick on eth1 inet  from <tbl.r9>  to any 
block in   log  quick on eth1 inet  from 192.168.1.0/24  to any 
# 
# Rule  3 (eth1)
# Anti-spoofing rule
block out  log  quick on eth1 inet  from ! 192.168.1.0/24  to any 
# 
# Rule  4 (eth1)
# testing rule shading: this rule is not
# shaded by rule #1
pass in   quick on eth1 inet proto icmp  from any  to any icmp-type 8 code 0  keep state 
# 
# Rule  5 (global)
block  log  quick inet proto tcp  from any  to any flags S/UAPRSF 
# 
# Rule  7 (global)
# hostF has the same IP address as firewal.
pass  log  quick inet proto icmp  from any  to 192.168.1.1 icmp-type 8 code 0  keep state 
# 
# Rule  8 (global)
# testing negation in the policy rule
block  log  quick inet proto icmp  from ! 192.168.1.10  to any icmp-type 3  
# 
# Rule  9 (global)
# testing negation in the policy rule
block  log  quick inet proto icmp  from ! <tbl.r11>  to any icmp-type 3  
# 
# Rule  10 (global)
# this rule is shaded by rule above.
# firewall1:Policy:10: warning: Changing rule direction due to self reference
block in   log  quick inet proto icmp  from ! <tbl.r11>  to <tbl.r9> icmp-type 3  
# 
# Rule  11 (global)
# this rule shades rule below
block  log  quick inet  from ! <tbl.r11.s>  to 192.168.1.0/24 
# 
# Rule  12 (global)
block  log  quick inet  from <tbl.r7>  to ! <tbl.r11> 
# 
# Rule  13 (global)
# testing negation in the policy rule
block return-icmp    log  quick inet  from 192.168.1.10  to any 
# 
# Rule  16 (global)
block  log  quick inet proto icmp  from <tbl.r0.s>  to ! <tbl.r0.s> 
block  log  quick inet proto 50  from <tbl.r0.s>  to ! <tbl.r0.s> 
# 
# Rule  17 (global)
# 'masquerading' rule
pass  quick inet  from 192.168.1.0/24  to any keep state 
# 
# Rule  18 (global)
# firewall1:Policy:18: warning: Changing rule direction due to self reference
pass in   quick inet proto tcp  from any  to <tbl.r9> port 3128 keep state 
# 
# Rule  19 (eth0)
# rule from http://www.benzedrine.cx/transquid.html
# Used to permit connections to transparent 
# squid proxy. Should be "in $int_if" but destination 
# is loopback interface
pass in   quick on eth0 inet proto tcp  from any  to 127.0.0.1 port 3128 keep state 
# 
# Rule  20 (global)
# 'catch all' rule
block  log  quick inet  from any  to any 
# 
# Rule  fallback rule
#    fallback rule 
block  quick inet  from any  to any