## TRAFFIC NORMALIZATION
scrub in all

# For NFS
scrub in on $int_if all no-df
scrub out on $int_if all no-df


## QUEUEING: rule-based bandwidth control.

altq on $ext_if priq bandwidth 32Kb queue { q_pri, q_def }
queue q_pri priority 7
queue q_def priority 1 priq(default)


## TRANSLATION RULES (NAT)
nat on $ext_if from $int_net to any -> ($ext_if)

# Redirect rules
# ftp-proxy
rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021

# forward www to erwin
rdr on $ext_if proto { tcp, udp } to $ext_if port www -> 192.168.100.10 port www

# p2p rules - need to check
rdr on $ext_if proto { tcp, udp } to port 1205 -> 192.168.100.10 port 1205
rdr on $ext_if proto { tcp, udp } to port 1424 -> 192.168.100.10 port 1424
rdr on $ext_if proto tcp to port 4662 -> 192.168.100.99 port 4662
rdr on $ext_if proto udp to port 4672 -> 192.168.100.99 port 4672
rdr on $ext_if proto tcp to port 4711 -> 192.168.100.99 port 4711

## FILTER RULES
# pf is a LAST MATCH WINS filter

# Block everything (inbound AND outbound on ALL interfaces)
# by default (catch-all)
block all

# Allow the local interface to talk unrestricted
pass quick on lo0 all

# Disallow RFC1918 addresses on the external interface
block drop in quick on $ext_if from $PrivNets to any

# Block Netbios.
block in log quick on { $int_if, $ext_if } proto { tcp, udp } from any to any port $NetBios

# Allow tcp, udp, and icmp out on the external interface.
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state

# Allow ping from inside the firewall to the internet (and replies)
pass out inet proto icmp all icmp-type echoreq keep state

# Allow return packets from connections we initiate
pass in on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state

# Allow ssh to firewall
pass in log quick on $ext_if proto tcp from any to $ext_if port ssh

# Allow ntp
#pass in quick on $ext_if proto { tcp, udp } from any to $ext_if port ntp keep state

# Allow www
pass in on $ext_if proto tcp from any to $int_net port www keep state

# Allow eMule
pass in on $ext_if proto tcp from any to $int_net port 4662 modulate state
pass in on $ext_if proto udp from any to $int_net port 4672 keep state

# Allow kazaa
pass in on $ext_if proto { tcp, udp } from any to $int_net port 1205 keep state

# Allow Direct Connect
pass in on $ext_if proto { tcp, udp } from any to $int_net port 1424 keep state

# RealAudio
pass out on $ext_if inet proto tcp from any to any port $RealAudio flags S/SA modulate state

# Use the queues defined earlier
pass out on $ext_if proto { tcp , udp } from $ext_if to any flags S/SA keep state queue (q_def, q_pri)
pass in on $ext_if proto { tcp , udp } from any to $ext_if flags S/SA keep state queue (q_def, q_pri)
[/code:1:868dd1c955]

Can anyone tell me why I can't ssh into this box? As far as I can see, I have explicitly allowed ssh from the internet to the box.

cheers,
bsdjunkie
February 16th, 2004, 12:52
# Allow ssh to firewall
pass in log quick on $ext_if proto tcp from any to $ext_if port ssh


Try

pass in log quick on $ext_if proto tcp from any to ($ext_if) port 22 flags S/SAFR keep state
Loop
February 17th, 2004, 06:23
Try

pass in log quick on $ext_if proto tcp from any to ($ext_if) port 22 flags S/SAFR keep state

Nope, that didn't fly, for some reason pf threw this error
[code:1:8ef0a046ff]<loop@doorbitch:/home/loop>$ sudo pfctl -f /etc/pf.conf
/etc/pf.conf:89: dynamic addresses require address family (inet/inet6)
/etc/pf.conf:89: skipping rule due to errors
/etc/pf.conf:89: rule expands to no valid combination
pfctl: Syntax error in config file: pf rules not loaded
[/code:1:8ef0a046ff]

What it did like was
pass in log quick on $ext_if inet proto tcp from any to ($ext_if) port ssh flags S/SAFR keep state

I would have thought that the address family was optional, not mandatory. From the manpage of pf.conf:
[code:1:8ef0a046ff] <af> This rule applies only to packets of this address family. Supported values are inet and inet6.
[/code:1:8ef0a046ff]

Oh well, I"ll see tomorrow if it works - don't have a jump point that I can access from to try it with at the moment.
bsdjunkie
February 17th, 2004, 10:07
Thats strange, thats the exact rule I have in my pf.conf and it works fine...
Loop
February 17th, 2004, 19:42
Yeah, it worked once for me, and hasn't since ...
Loop
February 18th, 2004, 06:44
Well, it's working now, so thanks for that bsdjunkie!