onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-19 17:57:22 +01:00
Code Issues Releases Wiki Activity
fwbuilder/test/pf/firewall2.conf.orig
Vadim Kurland db9584cab5 fixes #2214
2011-03-11 10:40:40 -08:00

219 lines
7.7 KiB
Plaintext
Raw Blame History

set limit { frags 5000, states 10000 }
set optimization aggressive
set timeout tcp.first 5
set timeout tcp.opening 5
set timeout tcp.established 10
#
# Prolog script
#
# prolog
# prolog commands go after set commands
#
# End of prolog script
#
#
# Scrub rules
#
scrub in all fragment reassemble no-df
scrub out all random-id min-ttl 32 max-mss 1460
# Tables: (5)
table <tbl.r1> { 192.168.1.10 , 192.168.1.20 }
table <tbl.r12.d> { 22.22.22.22 , 22.22.23.23 , 127.0.0.1 , 192.168.1.1 , 192.168.2.1 }
table <tbl.r16> { 22.22.22.22 , 22.22.23.23 , 192.168.1.1 , 192.168.2.1 }
table <tbl.r29> { 192.168.1.0/24 , 192.168.2.0/24 }
table <tbl.r5.s> { 22.22.22.22 , 22.22.23.23 , 192.168.1.0/24 , 192.168.1.1 , 192.168.2.1 }
#
# Rule 0 (NAT)
nat on eth0 proto {tcp udp icmp} from 192.168.1.0/24 to any -> 192.168.1.1
nat on eth1 proto {tcp udp icmp} from 192.168.1.0/24 to any -> 22.22.22.22
nat on eth3 proto {tcp udp icmp} from 192.168.1.0/24 to any -> 22.22.23.23
nat on eth2 proto {tcp udp icmp} from 192.168.1.0/24 to any -> 192.168.2.1
#
# Rule 1 (NAT)
nat proto {tcp udp icmp} from <tbl.r1> to any -> 22.22.22.23
#
# Rule 2 (NAT)
nat proto {tcp udp icmp} from 192.168.1.0/24 to <tbl.r1> -> 192.168.1.1
#
# Rule 3 (NAT)
nat on eth0 proto tcp from 192.168.1.0/24 to any port 80 -> 192.168.1.1
nat on eth1 proto tcp from 192.168.1.0/24 to any port 80 -> 22.22.22.22
nat on eth3 proto tcp from 192.168.1.0/24 to any port 80 -> 22.22.23.23
nat on eth2 proto tcp from 192.168.1.0/24 to any port 80 -> 192.168.2.1
#
# Rule 4 (NAT)
nat proto tcp from <tbl.r1> to any port 80 -> 22.22.22.23
#
# Rule 5 (NAT)
nat proto tcp from 192.168.1.0/24 to <tbl.r1> port 80 -> 192.168.1.1
#
# Rule 6 (NAT)
nat on eth0 proto 47 from 192.168.1.0/24 to any -> 192.168.1.1
nat on eth1 proto 47 from 192.168.1.0/24 to any -> 22.22.22.22
nat on eth3 proto 47 from 192.168.1.0/24 to any -> 22.22.23.23
nat on eth2 proto 47 from 192.168.1.0/24 to any -> 192.168.2.1
#
# Rule 7 (NAT)
nat proto icmp from <tbl.r1> to any -> 22.22.22.23
#
# Rule 8 (NAT)
nat proto udp from 192.168.1.0/24 to <tbl.r1> port 53 -> 192.168.1.1
#
# Rule 9 (NAT)
rdr proto {tcp udp icmp} from any to 22.22.22.23 -> 192.168.1.10
#
# Rule 10 (NAT)
rdr proto tcp from any to 22.22.22.23 port 80 -> 192.168.1.10 port 80
rdr proto tcp from any to 22.22.22.23 port 119 -> 192.168.1.10 port 119
#
# Rule 11 (NAT)
rdr proto tcp from any to 22.22.22.22 port 119 -> 192.168.1.10 port 119
#
# Rule 12 (NAT)
nat proto {tcp udp icmp} from 192.168.1.20 to any -> 22.22.23.24
#
# Rule 16 (NAT)
rdr proto {tcp udp icmp} from any to <tbl.r16> -> 192.168.1.10
#
# Rule 17 (NAT)
rdr on eth1 proto {tcp udp icmp} from any to 22.22.22.22 -> 192.168.1.10
#
# Rule 18 (NAT)
rdr on eth1 proto {tcp udp icmp} from any to 22.22.22.22 -> 192.168.1.10
#
# Rule 19 (NAT)
rdr proto 47 from any to <tbl.r16> -> 192.168.1.10
#
# Rule 20 (NAT)
rdr proto tcp from any to <tbl.r16> port 10000:11000 -> 192.168.1.10 port 10000:*
#
# Rule 21 (NAT)
rdr on eth1 proto tcp from any to 22.22.22.22 port 10000:11000 -> 192.168.1.10 port 10000:*
#
# Rule 22 (NAT)
rdr on eth1 proto tcp from any to 22.22.22.22 port 10000:11000 -> 192.168.1.10 port 10000:*
#
# Rule 23 (NAT)
rdr on eth1 proto tcp from any to 22.22.22.22 port 10000:11000 -> 192.168.1.10 port 10000:*
nat on eth0 proto tcp from any to 192.168.1.10 port 10000:11000 -> 192.168.1.1
#
# Rule 24 (NAT)
rdr proto tcp from any to 22.22.22.23 port 80 -> 192.168.1.10 port 25
#
# Rule 25 (NAT)
rdr proto tcp from 192.168.1.0/24 to any port 80 -> 127.0.0.1 port 80
#
# Rule 26 (NAT)
rdr proto tcp from 192.168.1.0/24 to any port 80 -> 192.168.1.1 port 80
#
# Rule 27 (NAT)
rdr proto tcp from any to <tbl.r16> port 1080 -> 127.0.0.1 port 80
#
# Rule 28 (NAT)
# SF bug 3162862
rdr proto tcp from 192.168.1.0/24 to ! 192.168.1.0/24 port 80 -> 192.168.1.10 port 10000:*
#
# Rule 29 (NAT)
# SF bug 3162862
rdr proto tcp from 192.168.1.0/24 to ! <tbl.r29> port 80 -> 192.168.1.10 port 10000:*
#
# Rule 30 (NAT)
# SF bug 3162862
rdr proto tcp from 192.168.1.0/24 to ! <tbl.r29> port 80 -> 127.0.0.1 port 10000:*
#
# Rule 31 (NAT)
# for bug 1111267: this custom service object has
# "proto ..." in the protocol string, compiler can put
# it in generated nat command in the right place.
nat on eth1 proto {tcp udp icmp gre} from 192.168.1.0/24 to any -> 22.22.22.22
#
# Rule 32 (NAT)
# for bug 1111267: this custom service object
# has "proto .." in the code string but we can't insert
# it in the generated nat command b/c it would appear
# in the wrong place, after "from".
nat on eth1 from 192.168.1.0/24 to any -> 22.22.22.22
#
# Rule 33 (NAT)
nat on eth1 proto 47 from 192.168.1.0/24 to any -> 22.22.22.22
nat on eth1 proto icmp from 192.168.1.0/24 to any -> 22.22.22.22
nat on eth1 proto tcp from 192.168.1.0/24 to any -> 22.22.22.22
nat on eth1 proto udp from 192.168.1.0/24 to any -> 22.22.22.22
# Policy compiler errors and warnings:
# firewall2:Policy:12: warning: Changing rule direction due to self reference
#
# Rule backup ssh access rule
# backup ssh access rule
pass in quick inet proto tcp from 192.168.1.100 to <tbl.r16> port 22 keep state label "RULE -1 - ACCEPT **"
#
# Rule 0 (eth0)
block in log quick on eth0 inet from ! 192.168.1.0/24 to any label "RULE 0 - DROP **"
#
# Rule 1 (eth1)
# Anti-spoofing rule
block in log quick on eth1 inet from <tbl.r16> to any label "Iface: eth1 RULE 1 -- DROP **"
block in log quick on eth1 inet from 192.168.1.0/24 to any label "Iface: eth1 RULE 1 -- DROP **"
#
# Rule 2 (f2i1,3)
# rules 2,3,4 test group
# usage in interface
# all three rules should yield
# the same config
block in log quick on { eth1 eth3 } inet from <tbl.r16> to any label "Iface: eth1 eth3 RULE 2 -- DROP **"
block in log quick on { eth1 eth3 } inet from 192.168.1.0/24 to any label "Iface: eth1 eth3 RULE 2 -- DROP **"
#
# Rule 3 (f2i1,eth3)
# Anti-spoofing rule
block in log quick on { eth1 eth3 } inet from <tbl.r16> to any label "Iface: eth1 eth3 RULE 3 -- DROP **"
block in log quick on { eth1 eth3 } inet from 192.168.1.0/24 to any label "Iface: eth1 eth3 RULE 3 -- DROP **"
#
# Rule 4 (eth1,eth3)
# Anti-spoofing rule
block in log quick on { eth1 eth3 } inet from <tbl.r16> to any label "Iface: eth1 eth3 RULE 4 -- DROP **"
block in log quick on { eth1 eth3 } inet from 192.168.1.0/24 to any label "Iface: eth1 eth3 RULE 4 -- DROP **"
#
# Rule 5 (eth1)
# Anti-spoofing rule
block out log quick on eth1 inet from ! <tbl.r5.s> to any label "Iface: eth1 RULE 5 -- DROP **"
#
# Rule 6 (global)
# block fragments
block log quick inet from any to any fragment label "RULE 6 - DROP **"
#
# Rule 7 (global)
# sends TCP RST and makes custom record in the log
block return-rst log quick inet proto tcp from any to any port 113 label "IDENT"
#
# Rule 8 (global)
pass quick inet from <tbl.r1> to 200.200.200.200 keep state label "RULE 8 - ACCEPT **"
#
# Rule 9 (global)
pass quick inet from 200.200.200.200 to <tbl.r1> keep state label "RULE 9 - ACCEPT **"
#
# Rule 10 (global)
# 'masquerading' rule
pass quick inet from 192.168.1.0/24 to any keep state label "RULE 10 - ACCEPT **"
#
# Rule 12 (global)
# firewall2:Policy:12: warning: Changing rule direction due to self reference
pass in quick inet proto tcp from any to <tbl.r12.d> port { 21, 80, 25 } keep state label "RULE 12 - ACCEPT **"
pass quick inet proto tcp from any to 192.168.1.10 port { 21, 80, 25 } keep state label "RULE 12 - ACCEPT **"
#
# Rule 13 (global)
# 'catch all' rule
block log quick inet from any to any label "RULE 13 - DROP **"
#
# Rule fallback rule
# fallback rule
block quick inet from any to any label "RULE 10000 - DROP **"
Reference in New Issue View Git Blame Copy Permalink