# See pf.conf(5) and /usr/share/pf for syntax and examples.
# pf.conf configuration for mysite.dk
# $Id$
#
# Layout:
#
#    ext_if1 -------+            +------- int_if1
#    80.80.80.80    | +--------+ |        192.168.1.1
#                   +-|Router /|-+
#                   +-|Firewall|-+
#                   | +--------+ |
#    ext_if2 -------+            +------- int_if2
#    90.90.90.90                          192.168.2.1
#
# ext_if1:
#    SITE1's external interface
# ext_if2:
#    SITE2's external interface
# int_if1:
#    SITE1's internal interface
# int_if2:
#    SITE2's internal interface
#
# Traffic from SITE1's subnet must be NAT'ed through its own
# ADSL connection.
# Traffic from SITE2's subnet must be NAT'ed through its own
# ADSL connection.
# Communication must be available between SITE1 and SITE2 subnets.
#

# Macro definitions
#
# Adresses and subnets:
#ext_if1 -- SITE1's external interface and gateway
ext_if1 = "fxp0"
ext_gw1 = "80.80.80.1"

#ext_if2 -- SITE2's external interface and gateway
ext_if2 = "fxp1"
ext_gw2 = "90.90.90.1"

#int_if1 -- SITE1's internal interface
int_if1 = "fxp2"

#int_if2 -- SITE2's internal interface
int_if2 = "fxp3"

#SITE1's subnet
subnet1 = "fxp2:network"

#SITE2's subnet
subnet2 = "fxp3:network"

# Private networks (RFC 1918)
privnets = "{127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8}"

# Protocols/services:
nat_proto = "{tcp, udp, icmp}"
public_services = "{ssh, http, dns}"

# Options
set limit frags 30000
set limit states 10000
set loginterface $ext_if1
set loginterface $ext_if2

# Tabledefinitions
table <spamd> persist
table <spamd-white> persist

# Scrub rules
scrub in all
scrub out all random-id

# NAT rules
no nat on {$int_if1, $int_if2} inet proto $nat_proto from $subnet1 to $subnet2
no nat on {$int_if1, $int_if2} inet proto $nat_proto from $subnet2 to $subnet1
nat on $ext_if1 inet proto $nat_proto from $subnet1 to any tag SUB1 -> ($ext_if1)
nat on $ext_if2 inet proto $nat_proto from $subnet2 to any tag SUB2 -> ($ext_if2)

# Filtering rules
#
# Start by blocking everything!
block log all

# Allow all on loopback interface
pass quick on lo0 all

# One DSL connection per subnet
pass out on $ext_if1 route-to ($ext_if1 $ext_gw1) tagged SUB1 keep state
pass out on $ext_if2 route-to ($ext_if2 $ext_gw2) tagged SUB2 keep state

# Allow all connections originating from the firewall
pass out quick on $ext_if1 from ($ext_if1) to any flags S/SA modulate state
pass out quick on $ext_if2 from ($ext_if2) to any flags S/SA modulate state

# Allow connections from the private LAN
pass in quick on $int_if1 from $subnet1 to any flags S/SA keep state label "intranet1 inbound"
pass in quick on $int_if2 from $subnet2 to any flags S/SA keep state label "intranet2 inbound"
pass out quick on $int_if1 from {$subnet1, $subnet2} to $subnet1 flags S/SA keep state label "intranet1 outbound"
pass out quick on $int_if2 from {$subnet1, $subnet2} to $subnet2 flags S/SA keep state label "intranet2 outbound"
pass in quick on $int_if1 proto udp from $subnet1 to any keep state label "intranet1 udp inbound"
pass in quick on $int_if2 proto udp from $subnet2 to any keep state label "intranet2 udp inbound"
pass out quick on $int_if1 proto udp from {$subnet1, $subnet2} to $subnet1 keep state label "intranet1 udp outbound"
pass out quick on $int_if2 proto udp from {$subnet1, $subnet2} to $subnet2 keep state label "intranet2 udp outbound"

# No, you cannot spoof one of the firewalls interface addresses!
antispoof log for {$ext_if1, $ext_if2, $int_if1, $int_if2}

# And no, we don't route RFC1918 addresses either!
block drop in log  quick on $ext_if1 from $privnets to any
block drop in log  quick on $ext_if2 from $privnets to any
block out log quick on $ext_if1 from any to $privnets
block out log quick on $ext_if2 from any to $privnets

# Block inbound connections to port 113(auth) and
# return ICMP destination unreachable
block return-icmp in log quick on $ext_if1 proto tcp from any to ($ext_if1) port auth
block return-icmp in log quick on $ext_if2 proto tcp from any to ($ext_if2) port auth

#  Allow inbound connections to port 25 (smtp)
pass in quick on $ext_if1 inet proto {tcp, udp} from any to ($ext_if1) port smtp
pass in quick on $ext_if2 inet proto {tcp, udp} from any to ($ext_if2) port smtp

# Allow outbound external connections with SSH
pass out on $ext_if1 inet proto {tcp, udp} from ($ext_if1) to any port 22
pass out on $ext_if2 inet proto {tcp, udp} from ($ext_if2) to any port 22

# Allow inbound external connections with SSH
pass in on $ext_if1 inet proto tcp from any port > 1023 to ($ext_if1) port 22 modulate state
pass in on $ext_if2 inet proto tcp from any port > 1023 to ($ext_if2) port 22 modulate state

# Allow outbound internal connections with SSH
pass out on $int_if1 inet proto {tcp, udp} from ($int_if1) port 22 to any port > 1023
pass out on $int_if2 inet proto {tcp, udp} from ($int_if2) port 22 to any port > 1023

# Allow inbound internal connections with SSH
pass in on $int_if1 inet proto tcp from any port > 1023 to ($int_if1) port 22 modulate state
pass in on $int_if2 inet proto tcp from any port > 1023 to ($int_if2) port 22 modulate state