diff options
author | mlaier <mlaier@FreeBSD.org> | 2007-11-11 01:16:51 +0000 |
---|---|---|
committer | mlaier <mlaier@FreeBSD.org> | 2007-11-11 01:16:51 +0000 |
commit | 439399edf83695101aa71cf53c06c52d7ffa7eb9 (patch) | |
tree | 107db76477a50666618c07f3792898601748b344 /share/examples | |
parent | 10e9042adf470ef6aa9ff73f8e0fa5a48d2139b3 (diff) | |
download | FreeBSD-src-439399edf83695101aa71cf53c06c52d7ffa7eb9.zip FreeBSD-src-439399edf83695101aa71cf53c06c52d7ffa7eb9.tar.gz |
Update pf examples from OpenBSD to catch up with new stateful defaults and
other syntax changes. Move pf.conf from /etc to examples, too.
Diffstat (limited to 'share/examples')
-rw-r--r-- | share/examples/pf/Makefile | 1 | ||||
-rw-r--r-- | share/examples/pf/ackpri | 8 | ||||
-rw-r--r-- | share/examples/pf/faq-example1 | 47 | ||||
-rw-r--r-- | share/examples/pf/faq-example2 | 20 | ||||
-rw-r--r-- | share/examples/pf/faq-example3 | 60 | ||||
-rw-r--r-- | share/examples/pf/pf.conf | 34 | ||||
-rw-r--r-- | share/examples/pf/queue1 | 14 | ||||
-rw-r--r-- | share/examples/pf/queue2 | 14 | ||||
-rw-r--r-- | share/examples/pf/queue3 | 8 | ||||
-rw-r--r-- | share/examples/pf/spamd | 4 |
10 files changed, 121 insertions, 89 deletions
diff --git a/share/examples/pf/Makefile b/share/examples/pf/Makefile index 9eabea1..a6c4470 100644 --- a/share/examples/pf/Makefile +++ b/share/examples/pf/Makefile @@ -4,6 +4,7 @@ NO_OBJ= FILES= faq-example1 faq-example2 faq-example3 \ ackpri queue1 queue2 queue3 queue4 \ + pf.conf \ spamd FILESDIR= ${SHAREDIR}/examples/pf diff --git a/share/examples/pf/ackpri b/share/examples/pf/ackpri index 18f008d..060b761 100644 --- a/share/examples/pf/ackpri +++ b/share/examples/pf/ackpri @@ -1,5 +1,5 @@ # $FreeBSD$ -# $OpenBSD: ackpri,v 1.2 2003/03/10 14:24:33 henning Exp $ +# $OpenBSD: ackpri,v 1.3 2006/10/07 04:48:01 mcbride Exp $ # Use a simple priority queue to prioritize empty (no payload) TCP ACKs, # which dramatically improves throughput on (asymmetric) links when the @@ -25,9 +25,7 @@ altq on $ext_if priq bandwidth 100Kb queue { q_pri, q_def } queue q_pri priority 7 queue q_def priority 1 priq(default) -pass out on $ext_if proto tcp from $ext_if to any flags S/SA \ - keep state queue (q_def, q_pri) +pass out on $ext_if proto tcp from $ext_if to any queue (q_def, q_pri) -pass in on $ext_if proto tcp from any to $ext_if flags S/SA \ - keep state queue (q_def, q_pri) +pass in on $ext_if proto tcp from any to $ext_if queue (q_def, q_pri) diff --git a/share/examples/pf/faq-example1 b/share/examples/pf/faq-example1 index 2981203..91942f6 100644 --- a/share/examples/pf/faq-example1 +++ b/share/examples/pf/faq-example1 @@ -1,5 +1,5 @@ # $FreeBSD$ -# $OpenBSD: faq-example1,v 1.2 2003/08/06 16:04:45 henning Exp $ +# $OpenBSD: faq-example1,v 1.5 2006/10/07 04:48:01 mcbride Exp $ # # Firewall for Home or Small Office @@ -8,41 +8,44 @@ # macros -int_if = "fxp0" -ext_if = "ep0" +ext_if="fxp0" +int_if="xl0" -tcp_services = "{ 22, 113 }" -icmp_types = "echoreq" +tcp_services="{ 22, 113 }" +icmp_types="echoreq" + +comp3="192.168.0.3" -priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }" - # options set block-policy return set loginterface $ext_if +set skip on lo + # scrub -scrub in all +scrub in # nat/rdr -nat on $ext_if from $int_if:network to any -> ($ext_if) -rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 \ - port 8021 +nat on $ext_if from !($ext_if) -> ($ext_if:0) +nat-anchor "ftp-proxy/*" +rdr-anchor "ftp-proxy/*" + +rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021 +rdr on $ext_if proto tcp from any to any port 80 -> $comp3 # filter rules -block all +block in -pass quick on lo0 all +pass out -block drop in quick on $ext_if from $priv_nets to any -block drop out quick on $ext_if from any to $priv_nets +anchor "ftp-proxy/*" +antispoof quick for { lo $int_if } -pass in on $ext_if inet proto tcp from any to ($ext_if) \ - port $tcp_services flags S/SA keep state +pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services -pass in inet proto icmp all icmp-type $icmp_types keep state +pass in on $ext_if inet proto tcp from any to $comp3 port 80 \ + synproxy state -pass in on $int_if from $int_if:network to any keep state -pass out on $int_if from any to $int_if:network keep state +pass in inet proto icmp all icmp-type $icmp_types -pass out on $ext_if proto tcp all modulate state flags S/SA -pass out on $ext_if proto { udp, icmp } all keep state +pass quick on $int_if no state diff --git a/share/examples/pf/faq-example2 b/share/examples/pf/faq-example2 index 66e2f25..eded1e8 100644 --- a/share/examples/pf/faq-example2 +++ b/share/examples/pf/faq-example2 @@ -1,5 +1,5 @@ # $FreeBSD$ -# $OpenBSD: faq-example2,v 1.2 2003/08/06 16:04:45 henning Exp $ +# $OpenBSD: faq-example2,v 1.4 2006/10/07 04:48:01 mcbride Exp $ # # Small, Home Network @@ -43,9 +43,9 @@ altq on dc0 cbq bandwidth 2Mb queue { std_in, ssh_im_in, dns_in, bob_in } # bob_in - bandwidth reserved for Bob's workstation. allow him to # borrow. -queue std_in cbq(default) -queue ssh_im_in priority 4 -queue dns_in priority 5 +queue std_in bandwidth 1.6Mb cbq(default) +queue ssh_im_in bandwidth 200Kb priority 4 +queue dns_in bandwidth 120Kb priority 5 queue bob_in bandwidth 80Kb cbq(borrow) @@ -63,15 +63,15 @@ block in on fxp0 all # filter rules for fxp0 outbound block out on fxp0 all -pass out on fxp0 inet proto tcp from (fxp0) to any flags S/SA \ - keep state queue(std_out, tcp_ack_out) -pass out on fxp0 inet proto { udp icmp } from (fxp0) to any keep state +pass out on fxp0 inet proto tcp from (fxp0) to any \ + queue(std_out, tcp_ack_out) +pass out on fxp0 inet proto { udp icmp } from (fxp0) to any pass out on fxp0 inet proto { tcp udp } from (fxp0) to any port domain \ - keep state queue dns_out + queue dns_out pass out on fxp0 inet proto tcp from (fxp0) to any port $ssh_ports \ - flags S/SA keep state queue(std_out, ssh_im_out) + queue(std_out, ssh_im_out) pass out on fxp0 inet proto tcp from (fxp0) to any port $im_ports \ - flags S/SA keep state queue(ssh_im_out, tcp_ack_out) + queue(ssh_im_out, tcp_ack_out) # filter rules for dc0 inbound block in on dc0 all diff --git a/share/examples/pf/faq-example3 b/share/examples/pf/faq-example3 index c6b7355..61e2c93 100644 --- a/share/examples/pf/faq-example3 +++ b/share/examples/pf/faq-example3 @@ -1,12 +1,12 @@ # $FreeBSD$ -# $OpenBSD: faq-example3,v 1.2 2003/08/06 16:04:45 henning Exp $ +# $OpenBSD: faq-example3,v 1.4 2006/10/07 04:48:01 mcbride Exp $ # # Company Network # http://www.openbsd.org/faq/pf/queueing.html#example2 # - + # enable queueing on the external interface to queue packets going out # to the Internet. use the cbq scheduler so that the bandwidth use of # each queue can be controlled. the max outgoing bandwidth is 1.5Mbps. @@ -18,15 +18,15 @@ altq on fxp0 cbq bandwidth 1.5Mb queue { std_ext, www_ext, boss_ext } # outgoing traffic on fxp0. # www_ext - container queue for WWW server queues. limit to # 500Kbps. -# www_ext_http - http traffic from the WWW server -# www_ext_misc - all non-http traffic from the WWW server -# boss_ext - traffic coming from the boss's computer +# www_ext_http - http traffic from the WWW server; higher priority. +# www_ext_misc - all non-http traffic from the WWW server. +# boss_ext - traffic coming from the boss's computer. -queue std_ext cbq(default) +queue std_ext bandwidth 500Kb cbq(default borrow) queue www_ext bandwidth 500Kb { www_ext_http, www_ext_misc } - queue www_ext_http priority 3 cbq(red) - queue www_ext_misc priority 1 -queue boss_ext priority 3 + queue www_ext_http bandwidth 50% priority 3 cbq(red borrow) + queue www_ext_misc bandwidth 50% priority 1 cbq(borrow) +queue boss_ext bandwidth 500Kb priority 3 cbq(borrow) # enable queueing on the internal interface to control traffic coming # from the Internet or the DMZ. use the cbq scheduler to control the @@ -42,15 +42,15 @@ altq on dc0 cbq bandwidth 100% queue { net_int, www_int } # is 1.0Mbps. # std_int - the standard queue. also the default queue for outgoing # traffic on dc0. -# it_int - traffic to the IT Dept network. -# boss_int - traffic to the boss's PC. -# www_int - traffic from the WWW server in the DMZ. +# it_int - traffic to the IT Dept network; reserve them 500Kbps. +# boss_int - traffic to the boss's PC; assign a higher priority. +# www_int - traffic from the WWW server in the DMZ; full speed. queue net_int bandwidth 1.0Mb { std_int, it_int, boss_int } - queue std_int cbq(default) + queue std_int bandwidth 250Kb cbq(default borrow) queue it_int bandwidth 500Kb cbq(borrow) - queue boss_int priority 3 -queue www_int cbq(red) + queue boss_int bandwidth 250Kb priority 3 cbq(borrow) +queue www_int bandwidth 99Mb cbq(red borrow) # enable queueing on the DMZ interface to control traffic destined for # the WWW server. cbq will be used on this interface since detailed @@ -64,13 +64,13 @@ altq on fxp1 cbq bandwidth 100% queue { internal_dmz, net_dmz } # define the parameters for the child queues. # internal_dmz - traffic from the internal network. # net_dmz - container queue for traffic from the Internet. -# net_dmz_http - http traffic. +# net_dmz_http - http traffic; higher priority. # net_dmz_misc - all non-http traffic. this is also the default queue. -queue internal_dmz # no special settings needed +queue internal_dmz bandwidth 99Mb cbq(borrow) queue net_dmz bandwidth 500Kb { net_dmz_http, net_dmz_misc } - queue net_dmz_http priority 3 cbq(red) - queue net_dmz_misc priority 1 cbq(default) + queue net_dmz_http bandwidth 50% priority 3 cbq(red borrow) + queue net_dmz_misc bandwidth 50% priority 1 cbq(default borrow) # ... in the filtering section of pf.conf ... @@ -88,32 +88,30 @@ block on { fxp0, fxp1, dc0 } all # filter rules for fxp0 inbound pass in on fxp0 proto tcp from any to $wwwserv port { 21, \ - > 49151 } flags S/SA keep state queue www_ext_misc + > 49151 } queue www_ext_misc pass in on fxp0 proto tcp from any to $wwwserv port 80 \ - flags S/SA keep state queue www_ext_http + queue www_ext_http # filter rules for fxp0 outbound -pass out on fxp0 from $int_nets to any keep state -pass out on fxp0 from $boss to any keep state queue boss_ext +pass out on fxp0 from $int_nets to any +pass out on fxp0 from $boss to any queue boss_ext # filter rules for dc0 inbound -pass in on dc0 from $int_nets to any keep state +pass in on dc0 from $int_nets to any pass in on dc0 from $it_net to any queue it_int pass in on dc0 from $boss to any queue boss_int pass in on dc0 proto tcp from $int_nets to $wwwserv port { 21, 80, \ - > 49151 } flags S/SA keep state queue www_int + > 49151 } queue www_int # filter rules for dc0 outbound pass out on dc0 from dc0 to $int_nets # filter rules for fxp1 inbound -pass in on fxp1 proto { tcp, udp } from $wwwserv to any port 53 \ - keep state +pass in on fxp1 proto { tcp, udp } from $wwwserv to any port 53 # filter rules for fxp1 outbound pass out on fxp1 proto tcp from any to $wwwserv port { 21, \ - > 49151 } flags S/SA keep state queue net_dmz_misc -pass out on fxp1 proto tcp from any to $wwwserv port 80 \ - flags S/SA keep state queue net_dmz_http + > 49151 } queue net_dmz_misc +pass out on fxp1 proto tcp from any to $wwwserv port 80 queue net_dmz_http pass out on fxp1 proto tcp from $int_nets to $wwwserv port { 80, \ - 21, > 49151 } flags S/SA keep state queue internal_dmz + 21, > 49151 } queue internal_dmz diff --git a/share/examples/pf/pf.conf b/share/examples/pf/pf.conf new file mode 100644 index 0000000..bd3091b --- /dev/null +++ b/share/examples/pf/pf.conf @@ -0,0 +1,34 @@ +# $FreeBSD$ +# $OpenBSD: pf.conf,v 1.34 2007/02/24 19:30:59 millert Exp $ +# +# See pf.conf(5) and /usr/share/examples/pf for syntax and examples. +# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1 +# in /etc/sysctl.conf if packets are to be forwarded between interfaces. + +#ext_if="ext0" +#int_if="int0" + +#table <spamd-white> persist + +#set skip on lo + +#scrub in + +#nat-anchor "ftp-proxy/*" +#rdr-anchor "ftp-proxy/*" +#nat on $ext_if from !($ext_if) -> ($ext_if:0) +#rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021 +#no rdr on $ext_if proto tcp from <spamd-white> to any port smtp +#rdr pass on $ext_if proto tcp from any to any port smtp \ +# -> 127.0.0.1 port spamd + +#anchor "ftp-proxy/*" +#block in +#pass out + +#pass quick on $int_if no state +#antispoof quick for { lo $int_if } + +#pass in on $ext_if proto tcp to ($ext_if) port ssh +#pass in log on $ext_if proto tcp to ($ext_if) port smtp +#pass out log on $ext_if proto tcp from ($ext_if) to port smtp diff --git a/share/examples/pf/queue1 b/share/examples/pf/queue1 index 73c3839..5aad7c9 100644 --- a/share/examples/pf/queue1 +++ b/share/examples/pf/queue1 @@ -1,5 +1,5 @@ # $FreeBSD$ -# $OpenBSD: queue1,v 1.3 2003/01/20 16:14:23 henning Exp $ +# $OpenBSD: queue1,v 1.4 2006/10/07 04:48:01 mcbride Exp $ ext_if = "dc0" @@ -14,10 +14,8 @@ queue ssh bandwidth 100Kb priority 7 cbq(borrow) queue rsets bandwidth 7500b priority 0 cbq(red) block return in on $ext_if inet all queue rsets -pass in on $ext_if inet proto tcp from any to any port 80 keep state queue http -pass out on $ext_if inet proto tcp from any to any port 22 keep state queue ssh -pass in on $ext_if inet proto tcp from any to any port 22 keep state queue ssh -pass out on $ext_if inet proto tcp from any to any port 25 keep state queue mail -pass out on $ext_if inet all keep state - - +pass in on $ext_if inet proto tcp from any to any port 80 queue http +pass out on $ext_if inet proto tcp from any to any port 22 queue ssh +pass in on $ext_if inet proto tcp from any to any port 22 queue ssh +pass out on $ext_if inet proto tcp from any to any port 25 queue mail +pass out on $ext_if inet all diff --git a/share/examples/pf/queue2 b/share/examples/pf/queue2 index 20684e9..c60d1c3 100644 --- a/share/examples/pf/queue2 +++ b/share/examples/pf/queue2 @@ -1,5 +1,5 @@ # $FreeBSD$ -# $OpenBSD: queue2,v 1.2 2003/01/20 16:14:23 henning Exp $ +# $OpenBSD: queue2,v 1.4 2006/10/07 04:48:01 mcbride Exp $ # advanced queue example. # give interactive ssh traffic priority over ssh bulk transfers (scp, sftp) @@ -15,15 +15,15 @@ queue developers bandwidth 75% cbq(borrow) queue employees bandwidth 15% queue mail bandwidth 10% priority 0 cbq(borrow ecn) queue ssh bandwidth 20% cbq(borrow) { ssh_interactive, ssh_bulk } -queue ssh_interactive priority 7 -queue ssh_bulk priority 0 +queue ssh_interactive bandwidth 25% priority 7 +queue ssh_bulk bandwidth 75% priority 0 block return out on $ext_if inet all queue std pass out on $ext_if inet proto tcp from $developerhosts to any port 80 \ - keep state queue developers + queue developers pass out on $ext_if inet proto tcp from $employeehosts to any port 80 \ - keep state queue employees + queue employees pass out on $ext_if inet proto tcp from any to any port 22 \ - keep state queue(ssh_bulk, ssh_interactive) + queue(ssh_bulk, ssh_interactive) pass out on $ext_if inet proto tcp from any to any port 25 \ - keep state queue mail + queue mail diff --git a/share/examples/pf/queue3 b/share/examples/pf/queue3 index 855e74f..6db5eb4 100644 --- a/share/examples/pf/queue3 +++ b/share/examples/pf/queue3 @@ -1,5 +1,5 @@ # $FreeBSD$ -# $OpenBSD: queue3,v 1.2 2003/01/20 16:14:23 henning Exp $ +# $OpenBSD: queue3,v 1.3 2006/10/07 04:48:01 mcbride Exp $ # simple PRIQ example ext_if="lo0" @@ -9,8 +9,8 @@ queue pri-low priority 0 queue pri-med priority 1 priq(default) queue pri-high priority 2 -pass out on $ext_if proto tcp from any to any port 22 keep state \ +pass out on $ext_if proto tcp from any to any port 22 \ queue(pri-med, pri-high) -pass out on $ext_if proto tcp from any to any port 80 keep state queue pri-med -pass in on $ext_if proto tcp from any to any port 80 keep state queue pri-low +pass out on $ext_if proto tcp from any to any port 80 queue pri-med +pass in on $ext_if proto tcp from any to any port 80 queue pri-low diff --git a/share/examples/pf/spamd b/share/examples/pf/spamd index 780e879..ad12268 100644 --- a/share/examples/pf/spamd +++ b/share/examples/pf/spamd @@ -1,8 +1,8 @@ # $FreeBSD$ -# $OpenBSD: spamd,v 1.1 2003/08/22 15:25:01 henning Exp $ +# $OpenBSD: spamd,v 1.2 2005/08/06 19:52:37 jmc Exp $ # spamd-setup puts addresses to be redirected into table <spamd>. table <spamd> persist no rdr on { lo0, lo1 } from any to any -rdr inet proto tcp from <spamd> to any port smtp -> 127.0.0.1 port 8025 +rdr inet proto tcp from <spamd> to any port smtp -> 127.0.0.1 port spamd |