# Layout: # # ext_if1 -------+ +------- int_if1 # 80.80.80.80 | +--------+ | 192.168.1.1 # +-|Router /|-+ # +-|Firewall|-+ # | +--------+ | # ext_if2 -------+ +------- int_if2 # 90.90.90.90 192.168.2.1 # # # Traffic from SITE1's subnet must be NAT'ed through its own # ADSL connection. # Traffic from SITE2's subnet must be NAT'ed through its own # ADSL connection. # Communication must be available between SITE1 and SITE2 subnets. # # DET MED STORT er hovedkapitler # det med smaat er noter under hovedkapitlerne # # Det er i grove traek saadan som jeg vil goere det. # MACROS site_1 = "192.168.1.0/24" site_2 = "192.168.2.0/24" int_if1 = "fxp2" int_if2 = "fxp3" ext_if1 = "fxp0" ext_if2 = "fxp1" ext_gw1 = "80.80.80.1" ext_gw2 = "90.90.90.1" all_if = "{fxp0, fxp1, fxp2, fxp3}" SUB1 = "192_168_1" SUB2 = "192_168_2" # TABLES (fuckoff ip'erne filtrere/finder jeg i /var/authlog [scannere o.l] og tilfoejer jaevnligt) table const { 10/8, 172.16/12, 192.168/16, 127/8 } table persist file "/etc/fuckoff" table persist file "/path_to_file" table persist file "/path_to_file" # OPTIONS (opti. aggresive kan godt give nogle ftp problemer, brug evt normal) set loginterface $ext_if1 set loginterface $ext_if2 set limit { states 10000, frags 30000 } set optimization aggresive set block-policy drop set state-policy if-bound set fingerprints "/etc/pf.os" set debug urgent # TRAFFIC NORMALIZATION scrub in all scrub out all # TRANSLATION (husk sysctl net.inet.ip.forwarding=1 og udkommenter line #9 i /etc/inetd.conf) # line #9 in inetd.conf only if you run obsd! nat on $ext_if1 from $site_1 to any -> ($ext_if1) nat on $ext_if2 from $site_2 to any -> ($ext_if2) rdr pass on $int_if1 proto tcp to port ftp -> 127.0.0.1 port 8021 rdr pass on $int_if2 proto tcp to port ftp -> 127.0.0.1 port 8021 # default deny block in log all from any to any block out from any to any block return # PACKET FILTERING block in log quick on { $ext_if1, $ext_if2 } from to any block in log quick on { $ext_if1, $ext_if2 } from to any block in log quick on { $ext_if1, $ext_if2 } from to any block in log quick on { $ext_if1, $ext_if2 } from to any pass out on $int_if1 from any to $site_1 pass out on $int_if2 from any to $site_2 pass in on $int_if1 from $site_1 to $int_if1 pass in on $int_if2 from $site_2 to $int_if2 pass quick on lo0 all pass out on $ext_if1 proto tcp from any to any flags S/SA modulate state pass out on $ext_if1 proto { udp, icmp } from any to any keep state pass out on $ext_if2 proto tcp from any to any flags S/SA modulate state pass out on $ext_if2 proto { udp, icmp } from any to any keep state # ssh (de naeste fire # er saada jeg ville goere det til at starte med) #pass in on $ext_if1 inet proto tcp from any to ($ext_if1) port ssh keep state #pass in on $ext_if2 inet proto tcp from any to ($ext_if2) port ssh keep state #pass in on $int_if1 inet proto tcp from any to ($int_if1) port ssh keep state #pass in on $int_if2 inet proto tcp from any to ($int_if2) port ssh keep state pass in on $ext_if1 inet proto tcp from any port > 1023 to ($ext_if1) port 22 modulate state pass in on $ext_if2 inet proto tcp from any port > 1023 to ($ext_if2) port 22 modulate state pass in on $int_if1 inet proto tcp from any port > 1023 to ($int_if1) port 22 modulate state pass in on $int_if2 inet proto tcp from any port > 1023 to ($int_if2) port 22 modulate state pass out on $int_if1 inet proto { tcp, udp } from ($int_if1) port 22 to any port > 1023 pass out on $int_if2 inet proto { tcp, udp } from ($int_if2) port 22 to any port > 1023 # smtp pass in on $ext_if1 inet proto { tcp, udp } from any to ($ext_if1) port smtp pass in on $ext_if2 inet proto { tcp, udp } from any to ($ext_if2) port smtp # (tagging har jeg ikke de store erfaringer med) pass out on $ext_if1 route-to ($ext_if1 $ext_gw1) tagged $SUB1 keep state pass out on $ext_if2 route-to ($ext_if2 $ext_gw2) tagged $SUB2 keep state # ANTISPOOF antispoof log for $if_all