Date: Fri, 24 Aug 2018 22:24:52 +0000 From: William Moreno <wmoreno3@hotmail.com> To: "freebsd-questions@FreeBSD.org" <freebsd-questions@FreeBSD.org> Subject: 30.3. PF Revised and updated by John Ferrell. Message-ID: <DM5PR19MB005703A39FED7B2A3EF8FB489F360@DM5PR19MB0057.namprd19.prod.outlook.com>
next in thread | raw e-mail | index | archive | help
https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-pf.html 30.3.3.1. A Simple Gateway with NAT pass in on xl1 from xl1:network to xl0:network port $ports keep state pass out on xl0 from xl1:network to xl0:network port $ports keep state pass from $localnet to any port $ports keep state Please explain me: How to implement “ xl1:network - xl0:network - $localnet “ ? I tried different forms but negative, maybe yours commands are deprecated. Am I ready? The following configuration is ready and test was OK in my FreeBSD 11.2 Server. root@server:~ # cat /etc/pf.conf # $FreeBSD: releng/11.2/share/examples/pf/pf.conf 293862 2016-01-14 01:32:17Z kevlo $ # $OpenBSD: pf.conf,v 1.34 2007/02/24 19:30:59 millert Exp $ # # See pf.conf(5) and /usr/share/examples/pf for syntax and examples. # Remember to set gateway_enable="YES" and/or ipv6_gateway_enable="YES" # in /etc/rc.conf if packets are to be forwarded between interfaces. ext_if="igb0" int_if="igb1" table <spamd-white> persist set skip on lo scrub in #nat-anchor "ftp-proxy/*" #rdr-anchor "ftp-proxy/*" nat on $ext_if inet from !($ext_if) -> ($ext_if:0) #rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021 no rdr on $ext_if proto tcp from <spamd-white> to any port smtp #rdr pass on $ext_if proto tcp from any to any port smtp \ # -> 127.0.0.1 port spamd #anchor "ftp-proxy/*" block in pass out pass quick on $int_if no state antispoof quick for { lo $int_if } #pass in on $ext_if proto tcp to ($ext_if) port ssh pass in on $ext_if proto tcp to ($ext_if) port 38422 #pass in log on $ext_if proto tcp to ($ext_if) port smtp #pass out log on $ext_if proto tcp from ($ext_if) to port smtp pass in on $ext_if inet proto icmp from any to ($ext_if) icmp-type { unreach, redir, timex } root@server:~ # pfctl -vnf /etc/pf.conf ext_if = "igb0" int_if = "igb1" table <spamd-white> persist set skip on { lo } scrub in all fragment reassemble nat on igb0 inet from ! (igb0) to any -> (igb0:0) no rdr on igb0 proto tcp from <spamd-white> to any port = smtp block drop in all pass out all flags S/SA keep state pass quick on igb1 all no state block drop in quick on ! lo inet6 from ::1 to any block drop in quick on ! lo inet from 127.0.0.0/8 to any block drop in quick inet from 127.0.0.1 to any block drop in quick on ! igb1 inet from 192.168.1.0/24 to any block drop in quick inet from 192.168.1.1 to any block drop in quick inet6 from ::1 to any block drop in quick on lo0 inet6 from fe80::1 to any pass in on igb0 inet proto icmp from any to (igb0) icmp-type unreach keep state pass in on igb0 inet proto icmp from any to (igb0) icmp-type redir keep state pass in on igb0 inet proto icmp from any to (igb0) icmp-type timex keep state pass in on igb0 proto tcp from any to (igb0) port = 38422 flags S/SA keep state root@server:~ # Thanks, William Moreno Enviado desde Correo<https://go.microsoft.com/fwlink/?LinkId=550986>; para Windows 10
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?DM5PR19MB005703A39FED7B2A3EF8FB489F360>