OpenBSD 端口重定向中pf.conf setting

jeason2008

Ext = "ne3" # Ó&Í&½&ÏàÁ&&ÄÉè±&Ã&
Int = "rl0" # Ó&¾ÖÓòÍ&ÏàÁ&&ÄÉè±&Ã&
IntNet = "192.168.0.0/24" # ¾ÖÓòÍ&&ÄÍ&&Î
RouterIP = "192.168.0.1" # ·ÓÉÆ÷&ÄIP&ØÖ·
Loop = "lo0" # Loopback ±¾&Ø&·&ØÉè±&Ã&
ftp_server = "192.168.0.8"
www_server = "192.168.0.8"

# ²&±&·ÓÉ&Ä&ØÖ·
NoRoute = "{ 127.0.0.1/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 255.255.255.255/32 }"

# ½&±&&ò&&&Ä&Ë&Ú
LocalServicesTCP = "{ ssh, auth }"
OtherServicesTCP = "{ ftp, www, 700 }"


### Ñ&Ï& ###

# DSLÁ&½Ó&Äͳ¼ÆÊ&¾Ý&¨pfctl -s info&&
set loginterface $Ext

# &ìËÙ&Ï&&·Ç&&&&×&Ì&&ÄÁ&½Ó - ¼&ÉÙÄÚ&&Ï&&Ä
set optimization aggressive

# IPËéÆ&ÖØ×é
scrub in on $Ext all fragment reassemble


### NAT &Í×&·& ###

# ¼¤&&NAT
nat on $Ext from $IntNet to any ->; $Ext

# ¼¤&& FTP - ×&·&&½ÎÒÃÇ&Ä ftp-proxy &úÀíÉÏ
#:rdr on $Int proto tcp from !$RouterIP to !$IntNet port 21 ->; 127.0.0.1 port 8081

rdr on $Ext proto tcp from !$IntNet to $Ext port ftp ->; $ftp_server port 21
#rdr on $Ext proto tcp from any to any port 49152:65535 ->; $ftp_server port 49152:65535
rdr on $Ext proto tcp from !$IntNet to $Ext port www ->; $www_server port 80
rdr on $Ext proto tcp from !$IntNet to $Ext port 700 ->; 192.168.0.3 port 700
rdr on $Ext proto udp from !$IntNet to $Ext port 700 ->; 192.168.0.3 port 700### ¹&Â˹&Ôò ###

# Ö&ÊÇÓÃÀ&&÷ÊÔÓÃ....
#pass in quick all # ²&ÊÔÒ&ÏÂÔÊÐíËùÓн&È&&Ä°ü
#pass out quick all # &Í·&³&&Ä°ü

# ÏÈÊÇ×Ü&ÄÔ&Ôò&&&²×&ËùÓн&³&&ÄÊ&¾Ý°ü
block out on $Ext all
block in on $Ext all

# ÎÒÃÇÄ&Ô&Ò&Éù²&&Ô×°Á&×÷ÑÆ&&&&&&
block return-rst out log on $Ext proto tcp all
block return-rst in log on $Ext proto tcp all
block return-icmp out log on $Ext proto udp all
block return-icmp in log on $Ext proto udp all

# ²&ÐèÒ& IPv6.0
block in quick inet6 all
block out quick inet6 all

# ±¾&Ø&·&ØÔÊÐíͨ¹&
pass in quick on $Loop all
pass out quick on $Loop all

# &&nmap&ÈɨÃèÆ÷À&&&ÄÑ&È
block in log quick on $Ext inet proto tcp from any to any flags FUP/FUP
block in log quick on $Ext inet proto tcp from any to any flags SF/SFRA
block in log quick on $Ext inet proto tcp from any to any flags /SFRA

# &ÔÍ&½&&&·Å&Ä&Ë&Ú
#pass in quick on $Ext inet proto tcp from any to $ftp_server port 21 flags S/SAFR keep state
#pass in quick on $Ext inet proto tcp from any to $ftp_server port >; 49151 flags S/SAFR keep state

#pass in quick on $Int inet proto tcp from any to $ftp_server port 21 flags S/SAFR keep state
#pass in quick on $Int inet proto tcp from any to $ftp_server port >; 49151 flags S/SAFR keep state

pass in quick on $Ext inet proto tcp from !$IntNet to $Ext port $LocalServicesTCP flags S/SAFR keep state
pass in quick on $Ext inet proto tcp from !$IntNet to $IntNet port $OtherServicesTCP flags S/SAFR keep state

# ·ÀÖ¹IPÆÛÆ&
block in log quick on $Ext inet from $NoRoute to any
block in log quick on $Ext inet from any to $NoRoute

# ÔÊÐí FTP Ö÷&&Ä&ʽ
#pass in quick on $Ext inet proto tcp from any to any port >; 49151 user proxy flags S/SAFR keep state

# ÔÊÐí±&ping&¨½&Ö¹Æ&Ê&Ò²Ã&&à&óÒ&Ò&&&
pass in quick on $Ext inet proto icmp all icmp-type 8 code 0 keep state

# &ÔÍ&½&&&·Å&Ä&Ë&Ú
#pass in quick on $Ext inet proto tcp from any to any port $InServicesTCP flags S/SAFR keep state

# ÔÊÐíͨ¹&ÓÉÄÚÏòÍ&&Ä°ü
pass out quick on $Ext all keep state