### screenednet.pf.conf -- firewall script for a firwall/NAT box protecting a local net that doesn't offer ### any services to the outside world (a typical private LAN at home) ### template by sp1r1t ################################################# # macro definitions - adapt these to your needs # ################################################# ### interface on this box that has a public IP and connects to the internet ext_if = "rl0" ### the interface that connects the box with the LAN and has a private IP int_if = "rl1" ### IP adresses of hosts on our LAN table persist {192.168.0.0/24} ########### # options # ########### # rules in this file should be in standard pf order set require-order yes ### silently drop packets we don't want, don't even ### tell the sender they were blocked set block-policy drop ### let pf(4) optimize the rules for speed set optimization normal ### we don't want a log-only interface set loginterface none ################################## # packet normalisation via scrub # ################################## ### we want packets to be clean scrub in all ### this is also true for outgoing ones scrub out all ##################################### # network address translation (NAT) # ##################################### ### remove comments before the following rules to allow inbound ssh connections ### to your network and redirect them to the correct IP and port of the ssh server # ssh_ip = "192.168.0.22" # ssh_port = "22" # # rdr on $ext_if inet proto tcp from any to $ext_if port 22 -> $ssh_ip port $ssh_port # do NAT on the external interface # nat on $ext_if inet proto {tcp, udp} from to any -> ($ext_if) ########################## # packet filtering rules # ########################## ### block all inbound connections and log them block in log all ### allow outbound connections from the firewall itself pass out on $ext_if inet from ($int_if) to any flags S/SA keep state pass out on $ext_if inet proto tcp from ($my_if) to any flags S/SA synproxy state ### allow outbound connection from the LAN hosts pass in quick on $int_if from to any flags S/SA keep state ### we do not like spoofed packets antispoof for $ext_if antispoof for $int_if