#/etc/rc.conf #pfctl -F all # Flush PF #pfctl -sr # List all Rules #pf_enable="YES" #pf_rules="/etc/pf.conf" #pflog_enable="YES" #pflog_logfile="/var/log/pflog" #lo_tcp_in = "{ domain, 3128 }" #lo_udp_in = "{ domain }" #lo_tcp_out = "{ domain, 3128 }" #lo_udp_out = "{ domain }" lo = "lo0" lo1 = "lo1" ifwan0 = "bridge1" ifwan0r = "bce1" iflan0 = "bridge0" ifwlan0 = "hostap0" br0 = "bridge0" br1 = "bridge1" lan0r = "192.168.177.0/24" lan0 = "192.168.178.0/24" lan0v = "192.168.179.0/24" lan06 = "fd00::/64" vpn1 = "10.15.0.0/24" strm1 = "192.168.178.31" if_tcp_in = "{ dhcpv6-server, dhcpv6-client, bootps, ssh, www, https, http-alt, 1199, 4000:61000 }" if_udp_in = "{ dhcpv6-server, dhcpv6-client, bootps, 1199, 4000:61000 }" if_tcp_out = "{ dhcpv6-server, dhcpv6-client, bootps, smtp, submission, imaps, ftp, ftp-data, ssh, smtp, smtps, submission, domain, nicname, www, https, 591, 8080, ntp, 1025, svn, cvsup, imaps, 1194:1199, mysql, rsync, 4000:61000 }" if_udp_out = "{ dhcpv6-server, dhcpv6-client, bootps, smtp, submission, imaps, ftp, ftp-data, ssh, smtp, smtps, submission, domain, nicname, ntp, imaps, svn, mysql, rsync, 1194:1199, 10000:61000 }" if_tcp6_in = "{ dhcpv6-server, dhcpv6-client, bootps, ssh, www, https, http-alt, 1199, 4000:61000 }" if_udp6_in = "{ dhcpv6-server, dhcpv6-client, bootps, 1199, 4000:61000 }" if_tcp6_out = "{ dhcpv6-server, dhcpv6-client, bootps, smtp, submission, imaps, ftp, ftp-data, ssh, smtp, smtps, submission, domain, nicname, www, https, 591, 8080, ntp, 1025, svn, cvsup, imaps, 1194:1199, mysql, rsync, 4000:61000 }" if_udp6_out = "{ dhcpv6-server, dhcpv6-client, bootps, smtp, submission, imaps, ftp, ftp-data, ssh, smtp, smtps, submission, domain, nicname, ntp, imaps, svn, mysql, rsync, 1194:1199, 4000:61000 }" set block-policy drop set optimization aggressive #antispoof for $lo #antispoof for $if set skip on $lo set skip on $lo1 set skip on tun0 set skip on tun1 set skip on $ifwan0r scrub in all nat on $br1 from $lan0 to any -> ($br1) nat on $br1 from $lan0v to any -> ($br1) nat on $br1 from $lan0r to any -> ($br1) nat on $br1 inet6 from $lan06 to any -> ($br1) #nat on $ifwan0 from $lan0 to any -> ($ifwan0) #nat on $ifwan0 from $lan0v to any -> ($ifwan0) #nat on $ifwan0 from $lan0v to any -> ($ifwan0) #nat on $iflan0 from $lan0 to $lan0v -> ($iflan0) #nat on $iflan0 from $lan0v to $lan0 -> ($iflan0) #rdr on $ifwan0 proto tcp from any to any port 21 -> 192.168.178.102 port 21 #rdr on $ifwan0 proto tcp from any to any port 60000:61000 -> 192.168.178.102 port 60000:61000 rdr on $ifwan0 proto tcp from any to any port 22 -> 192.168.178.40 port 22 #rdr on $ifwan0 proto tcp from any to any port 80 -> 192.168.178.40 port 80 #rdr on $ifwan0 proto tcp from any to any port 443 -> 192.168.178.40 port 443 #rdr on $ifwan0 proto tcp from any to any port 591 -> 192.168.178.3 port 591 #rdr on $ifwan0 proto tcp from any to any port 8080 -> 192.168.178.5 port 8080 #rdr on $ifwan0 proto tcp from any to any port 1195 -> 192.168.178.102 port 1195 #rdr on $ifwan0 proto udp from any to any port 1195 -> 192.168.178.102 port 1195 #rdr on $ifwan0 proto tcp from any to any port 4000:61000 -> 192.168.178.250 port 4000:61000 #rdr on $ifwan0 proto udp from any to any port 4000:61000 -> 192.168.178.250 port 4000:61000 rdr on $ifwan0 proto tcp from any to any port 27000:27909 -> 192.168.178.40 port 27000:27909 rdr on $ifwan0 proto udp from any to any port 27000:27909 -> 192.168.178.40 port 27000:27909 #rdr on $ifwan0 proto tcp from any to any port 27000:27909 -> 192.168.178.6 port 27000:27909 #rdr on $ifwan0 proto udp from any to any port 27000:27909 -> 192.168.178.6 port 27000:27909 #rdr on $ifwan0 proto tcp from any to any port 27990:27999 -> 192.168.178.6 port 27990:27999 #rdr on $ifwan0 proto udp from any to any port 27990:27999 -> 192.168.178.6 port 27990:27999 #rdr on $ifwan0 proto tcp from any to any port 27930:27949 -> 192.168.178.6 port 27930:27949 #rdr on $ifwan0 proto udp from any to any port 27930:27949 -> 192.168.178.6 port 27930:27949 rdr on $ifwan0 proto tcp from any to any port 27910:27924 -> 192.168.178.40 port 27910:27924 rdr on $ifwan0 proto udp from any to any port 27910:27924 -> 192.168.178.40 port 27910:27924 #stream1 rdr on $ifwan0 proto tcp from any to any port 11000:31000 -> $strm1 port 11000:31000 rdr on $ifwan0 proto udp from any to any port 11000:31000 -> $strm1 port 11000:31000 rdr on $ifwan0 proto tcp from any to any port 48000:61000 -> $strm1 port 48000:61000 rdr on $ifwan0 proto udp from any to any port 48000:61000 -> $strm1 port 48000:61000 block all pass out keep state #pass in keep state #pass out on $lo proto tcp to any port $lo_tcp #pass out on $lo proto udp to any port $lo_udp #pass in on $lo proto tcp to any port $lo_tcp #pass in on $lo proto udp to any port $lo_udp pass in on $ifwan0 inet proto icmp all icmp-type echoreq pass in on $ifwan0 inet proto tcp to any port $if_tcp_in pass in on $ifwan0 inet proto udp to any port $if_udp_in pass out on $ifwan0 inet proto icmp all icmp-type echoreq pass out on $ifwan0 inet proto tcp to any port $if_tcp_out pass out on $ifwan0 inet proto udp to any port $if_udp_out pass in on $ifwan0 inet6 proto ipv6-icmp all pass in on $ifwan0 inet6 proto tcp to any port $if_tcp6_in pass in on $ifwan0 inet6 proto udp to any port $if_udp6_in pass out on $ifwan0 inet6 proto ipv6-icmp all pass out on $ifwan0 inet6 proto tcp to any port $if_tcp6_out pass out on $ifwan0 inet6 proto udp to any port $if_udp6_out pass in on $ifwan0r inet proto icmp all icmp-type echoreq pass in on $ifwan0r inet proto tcp to any port $if_tcp_in pass in on $ifwan0r inet proto udp to any port $if_udp_in pass out on $ifwan0r inet proto icmp all icmp-type echoreq pass out on $ifwan0r inet proto tcp to any port $if_tcp_out pass out on $ifwan0r inet proto udp to any port $if_udp_out pass in on $ifwan0r inet6 proto ipv6-icmp all pass in on $ifwan0r inet6 proto tcp to any port $if_tcp6_in pass in on $ifwan0r inet6 proto udp to any port $if_udp6_in pass out on $ifwan0r inet6 proto ipv6-icmp all pass out on $ifwan0r inet6 proto tcp to any port $if_tcp6_out pass out on $ifwan0r inet6 proto udp to any port $if_udp6_out pass in on tun0 inet6 all pass out on tun0 inet6 all pass in on tun0 inet all pass out on tun0 inet all pass in on $iflan0 inet6 all pass out on $iflan0 inet6 all pass in on $iflan0 inet all pass out on $iflan0 inet all pass in on $ifwlan0 inet6 all pass out on $ifwlan0 inet6 all pass in on $ifwlan0 inet all pass out on $ifwlan0 inet all pass in on $br0 inet6 all pass out on $br0 inet6 all pass in on $br0 inet all pass out on $br0 inet all