# # $Id: pf.conf.39.adsl,v 1.2 2006/05/05 09:13:26 raptor Exp $ # # pf.conf.39.adsl - Sample PF/NAT ruleset for OpenBSD 3.9 # Copyright (c) 2006 Marco Ivaldi # # The pf(4) packet filter modifies, drops or passes packets according to # rules or definitions specified in pf.conf(5). This is a sample ruleset # for the configuration of a basic OpenBSD 3.9 stateful packet filter. # # This ruleset applies the ADSL optimization guidelines outlined by Daniel # Hartmeier in his paper "Prioritizing empty TCP ACKs with pf and ALTQ" # (http://www.benzedrine.cx/ackpri.html). It also uses scrub to adjust the # max-mss to 1440 for pppoe(4). The default block-policy is set to drop. # # Tested on OpenBSD 3.9 with 2 NICs, change it to fit your configuration. # ############################################################################### # Macros # # User-defined variables may be defined and used later, simplifying the # configuration file. Macros must be defined before they are referenced. # # available interfaces ext_if= "pppoe0" int_if= "dc1" # list of networks ext_net= "x.x.x.x/32" int_net= "192.168.0.0/24" # list of hosts fw_ext= "x.x.x.x" ############################################################################### # Tables # # Tables provide a mechanism for increasing the performance and flexibility # of rules with large numbers of source or destination addresses. # table const { 127/8, 10/8, 172.16/12, 192.168/16 } ############################################################################### # Options # # Options tune the behaviour of the packet filtering engine. # set optimization normal set block-policy drop set skip on lo0 ############################################################################### # Traffic Normalization # # Traffic normalization protects internal machines against inconsistencies # in Internet protocols and implementations. # scrub in scrub out on $ext_if max-mss 1440 ############################################################################### # Queueing # # Queueing provides rule-based bandwidth control. # altq on $ext_if priq bandwidth 200Kb queue { q_pri, q_def } queue q_pri priority 7 queue q_def priority 1 priq(default) ############################################################################### # Translation # # Translation rules specify how addresses are to be mapped or redirected to # other addresses. # # ftp-proxy anchors nat-anchor "ftp-proxy/*" rdr-anchor "ftp-proxy/*" # ip masquerading nat on $ext_if inet from $int_net -> ($ext_if) # ftp-proxy rdr pass on $int_if inet proto tcp to port 21 -> 127.0.0.1 port 8021 ############################################################################### # Packet Filtering # # Stateful and stateless packet filtering provides rule-based blocking or # passing of packets. # # ftp-proxy anchor anchor "ftp-proxy/*" # default policy block in log block out # trusted interfaces pass in quick on $int_if inet pass out quick on $int_if inet # egress filtering block out quick on $ext_if inet from !$ext_net # anti-spoofing block drop in quick on $ext_if inet from # outbound traffic (icmp, udp, tcp) pass out on $ext_if inet proto { icmp, udp, tcp } keep state \ queue (q_def, q_pri) # inbound traffic pass in on $ext_if inet proto tcp from any to $fw_ext \ port 2222 flags S/SA keep state queue (q_def, q_pri)