Date: Fri, 24 Aug 2018 22:24:52 +0000 From: William Moreno <wmoreno3@hotmail.com> To: "freebsd-questions@FreeBSD.org" <freebsd-questions@FreeBSD.org> Subject: 30.3. PF Revised and updated by John Ferrell. Message-ID: <DM5PR19MB005703A39FED7B2A3EF8FB489F360@DM5PR19MB0057.namprd19.prod.outlook.com>
next in thread | raw e-mail | index | archive | help
https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-pf.htm= l 30.3.3.1. A Simple Gateway with NAT pass in on xl1 from xl1:network to xl0:network port $ports keep state pass out on xl0 from xl1:network to xl0:network port $ports keep state pass from $localnet to any port $ports keep state Please explain me: How to implement =93 xl1:network - xl0:network - $localn= et =93 ? I tried different forms but negative, maybe yours commands are deprecated. = Am I ready? The following configuration is ready and test was OK in my FreeBSD 11.2 Ser= ver. root@server:~ # cat /etc/pf.conf # $FreeBSD: releng/11.2/share/examples/pf/pf.conf 293862 2016-01-14 0= 1:32:17Z kevlo $ # $OpenBSD: pf.conf,v 1.34 2007/02/24 19:30:59 millert Exp $ # # See pf.conf(5) and /usr/share/examples/pf for syntax and examples. # Remember to set gateway_enable=3D"YES" and/or ipv6_gateway_enable=3D"YES" # in /etc/rc.conf if packets are to be forwarded between interfaces. ext_if=3D"igb0" int_if=3D"igb1" table <spamd-white> persist set skip on lo scrub in #nat-anchor "ftp-proxy/*" #rdr-anchor "ftp-proxy/*" nat on $ext_if inet from !($ext_if) -> ($ext_if:0) #rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021 no rdr on $ext_if proto tcp from <spamd-white> to any port smtp #rdr pass on $ext_if proto tcp from any to any port smtp \ # -> 127.0.0.1 port spamd #anchor "ftp-proxy/*" block in pass out pass quick on $int_if no state antispoof quick for { lo $int_if } #pass in on $ext_if proto tcp to ($ext_if) port ssh pass in on $ext_if proto tcp to ($ext_if) port 38422 #pass in log on $ext_if proto tcp to ($ext_if) port smtp #pass out log on $ext_if proto tcp from ($ext_if) to port smtp pass in on $ext_if inet proto icmp from any to ($ext_if) icmp-type { unreac= h, redir, timex } root@server:~ # pfctl -vnf /etc/pf.conf ext_if =3D "igb0" int_if =3D "igb1" table <spamd-white> persist set skip on { lo } scrub in all fragment reassemble nat on igb0 inet from ! (igb0) to any -> (igb0:0) no rdr on igb0 proto tcp from <spamd-white> to any port =3D smtp block drop in all pass out all flags S/SA keep state pass quick on igb1 all no state block drop in quick on ! lo inet6 from ::1 to any block drop in quick on ! lo inet from 127.0.0.0/8 to any block drop in quick inet from 127.0.0.1 to any block drop in quick on ! igb1 inet from 192.168.1.0/24 to any block drop in quick inet from 192.168.1.1 to any block drop in quick inet6 from ::1 to any block drop in quick on lo0 inet6 from fe80::1 to any pass in on igb0 inet proto icmp from any to (igb0) icmp-type unreach keep s= tate pass in on igb0 inet proto icmp from any to (igb0) icmp-type redir keep sta= te pass in on igb0 inet proto icmp from any to (igb0) icmp-type timex keep sta= te pass in on igb0 proto tcp from any to (igb0) port =3D 38422 flags S/SA keep= state root@server:~ # Thanks, William Moreno Enviado desde Correo<https://go.microsoft.com/fwlink/?LinkId=3D550986>; para= Windows 10
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?DM5PR19MB005703A39FED7B2A3EF8FB489F360>