onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-20 18:27:16 +01:00
Code Issues Releases Wiki Activity
fwbuilder/test/pf/firewall34.conf.orig
Vadim Kurland 344a22feed see #2524 'avoid " {tcp udp icmp} " in place of protocol'. NAT 
compiler for PF does not need to generate protocol match "proto {tcp
udp icmp}" when service object used in the NAT rule is "any". The
reason this was done this way is lost in the mist of time; it's been
like this since very early versions of fwbuilder.
2011-06-22 11:03:07 -07:00

76 lines
2.9 KiB
Plaintext
Raw Blame History

# Tables: (4)
table <block these> persist file "block-hosts.tbl"
table <spammers> persist
table <tbl.r0.d> { 192.168.1.1 , 192.168.1.2 , 192.168.1.3/30 , 192.168.1.200 , 192.168.1.201 , 192.168.2.128/25 }
table <tbl.r1> { 7.7.7.7 , 61.150.47.112 , 192.168.1.1 , 192.168.1.2 , 192.168.1.3/30 , 192.168.1.200 , 192.168.1.201 , 192.168.2.128/25 }
#
# Rule 0 (NAT)
rdr on eth0.100 proto tcp from ! <block these> to (eth0.100) port 25 -> 192.168.1.10 port 25
#
# Rule 1 (NAT)
rdr on eth0.100 proto tcp from <block these> to (eth0.100) port 25 -> 192.168.1.10 port 25
rdr on eth0.100 proto tcp from <tbl.r1> to (eth0.100) port 25 -> 192.168.1.10 port 25
#
# Rule 2 (NAT)
nat on eth0.100 from 192.168.1.0/24 to ! <block these> -> (eth0.100)
#
# Rule 3 (NAT)
rdr proto tcp from any to (eth0.100) port 25 -> { 192.168.1.1 , 192.168.1.2 , 192.168.1.200 , 192.168.1.201 , 192.168.1.3/30 , 192.168.2.128/25 } port 25
#
# Rule 4 (NAT)
rdr from any to (eth0.100) -> { 192.168.1.1 , 192.168.1.2 , 192.168.1.200 , 192.168.1.201 , 192.168.1.3/30 , 192.168.2.128/25 }
#
# Rule 5 (NAT)
no nat from 192.168.1.0/24 to <block these>
no rdr from 192.168.1.0/24 to <block these>
#
# Rule 6 (NAT)
rdr from 192.168.1.0/24 to <block these> -> (lo)
#
# Rule 0 (global)
pass quick inet from any to <tbl.r0.d> keep state label "RULE 0 -- ACCEPT on global "
#
# Rule 1 (global)
block log quick inet from any to <block these> label "RULE 1 -- DROP on global "
#
# Rule 2 (global)
block log quick inet from any to <block these> label "RULE 2 -- DROP on global "
block log quick inet from any to <tbl.r1> label "RULE 2 -- DROP on global "
#
# Rule 3 (global)
block log quick inet from any to <tbl.r0.d> label "RULE 3 -- DROP on global "
#
# Rule 4 (global)
block log quick inet from <spammers> to any label "RULE 4 -- DROP on global "
#
# Rule 5 (global)
block quick inet proto tcp from any to <block these> port 25 label "RULE 5 -- DROP on global "
block quick inet proto tcp from any to 61.150.47.112 port 25 label "RULE 5 -- DROP on global "
#
# Rule 6 (global)
block log quick inet from <block these> to any label "RULE 6 -- DROP on global "
#
# Rule 7 (global)
block log quick inet from <block these> to any label "RULE 7 -- DROP on global "
block log quick inet from 61.150.47.112 to any label "RULE 7 -- DROP on global "
#
# Rule 9 (global)
pass quick inet proto tcp from any to 192.168.1.10 port 25 keep state ( max-src-conn 5, overload <spammers> flush global ) label "RULE 9 -- ACCEPT on global "
#
# Rule 10 (global)
pass quick inet from 192.168.1.0/24 to any keep state label "RULE 10 -- ACCEPT on global "
#
# Rule 11 (global)
block log quick inet from any to any label "RULE 11 -- DROP on global "
#
# Rule fallback rule
# fallback rule
block quick inet from any to any label "RULE 10000 -- DROP on global "
Reference in New Issue View Git Blame Copy Permalink