On Fri, 20 Nov 2015 16:18:10 +0100
Kristof Provost <k...@freebsd.org> wrote:
> Can you post your pf rules too?
Sure, pf.conf attached.
--
Dan
int_if="re1"
ext_if="re0"
vpn_if="tap0"
ext_addr="82.x.y.50"
int_net="192.168.2.0/24"
vpn_net="{ 192.168.1.0/24, 192.168.4.0/24, 192.168.123.0/24 }"
priv_net="{ 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 224.0.0.1, 224.0.0.2,
224.0.0.4, 224.0.0.5, 224.0.0.6, 224.0.0.9, 224.0.0.13, 224.0.0.15 }"
webmail="192.168.2.5"
mailserver="192.168.2.15"
dnsserver="{ 192.168.2.0/28, 192.168.1.0/28 }"
switchboard="192.168.2.16"
camera="192.168.2.221"
set skip on { lo0, $vpn_if }
scrub in on $ext_if all fragment reassemble
scrub out on $ext_if random-id
# traffic control
altq on $ext_if bandwidth 8Mb cbq queue { ssh, vpn, mail, web, default }
queue vpn bandwidth 2Mb priority 5 cbq(borrow)
queue ssh bandwidth 1Mb priority 4 cbq(borrow)
queue web bandwidth 1Mb priority 3 cbq(borrow)
queue mail bandwidth 1Mb priority 2 cbq(borrow)
queue default bandwidth 2Mb priority 1 cbq(default, borrow)
# nat
# note: do not change source port for this specific sip communication
nat on $ext_if proto udp from $switchboard to 188.x.y.0/24 -> $ext_addr
static-port
nat on $ext_if from $int_net to any -> $ext_addr
rdr on $ext_if proto tcp from any to $ext_addr port { 25, 465, 587, 995 } ->
$mailserver
rdr on $ext_if proto tcp from any to $ext_addr port { 443, 777, 5145 } ->
$webmail
rdr on $ext_if proto tcp from any to $ext_addr port { 554, 6036 } -> $camera
rdr on $ext_if proto tcp from any to $ext_addr port 6543 -> $switchboard
rdr on $ext_if proto tcp from any to $ext_addr port 6992 -> $switchboard
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass on $int_if proto tcp from $int_net to any port 21 -> 127.0.0.1 port
8021
# firewall
block in log all
pass in quick on $int_if inet proto carp
pass in quick on $int_if inet proto tcp from any to $mailserver port { 25, 465,
587, 10024 } keep state
block in log quick on $int_if inet proto tcp from any to any port { 25, 465,
587 }
pass in quick on $int_if inet proto { tcp, udp } from any to $dnsserver port 53
keep state
pass in quick on $int_if inet proto { tcp, udp } from $dnsserver to any port 53
keep state
block in log quick on $int_if inet proto { tcp, udp } from any to any port 53
pass in quick on $int_if inet from $int_net to any keep state
pass in quick on $int_if inet from $vpn_net to $int_net keep state
pass in quick on $int_if proto gre from $int_net to 82.x.y.22 keep state
block in log quick on $ext_if from $priv_net to any
pass in quick on $ext_if inet proto icmp from any to $ext_addr
pass in quick on $ext_if inet proto udp from 82.x.y.62 to $ext_addr port 1194
keep state queue vpn
pass in quick on $ext_if inet proto tcp from any to $ext_addr port 22 keep
state queue ssh
pass in quick on $ext_if inet proto tcp from any to $mailserver port { 25, 465,
587, 995 } keep state (source-track rule, max-src-conn 50) queue mail
pass in quick on $ext_if inet proto tcp from any to $webmail port { 443, 777,
5145 } keep state (source-track rule, max-src-conn 50) queue web
pass in quick on $ext_if inet proto tcp from any to $camera port { 554, 6036 }
keep state
pass in quick on $ext_if inet proto tcp from any to $switchboard port { 6543,
6992 } keep state
block out log all
block out log quick on $ext_if from any to $priv_net
block out log quick on $ext_if inet proto { tcp, udp } from any to any port
137:139
anchor "ftp-proxy/*"
pass out quick on $ext_if inet proto tcp from $mailserver to any keep state
queue mail
pass out quick on $ext_if inet proto udp from $ext_addr to 82.x.y.62 port 1194
keep state queue vpn
pass out quick on { $ext_if, $int_if } inet from any to any keep state
_______________________________________________
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
