Recompile the kernel with PF support:
device pf
device pflog
Editing pf.conf file:
# Variables
ext_if=”rl0″
int_if=”vr0″
port_tcp_out_to_in=”{ 22, 88, 143, 6891, 6892, 6893 }”
port_udp_out_to_in=”{ 53 }”
#Options
set timeout { interval 10, frag 30 }
set timeout { tcp.first 30, tcp.opening 120, tcp.established 86400 }
set timeout { tcp.closing 30, tcp.finwait 15, tcp.closed 15 }
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
set timeout { adaptive.start 0, adaptive.end 0 }
set limit { states 10000, frags 5000 }
set loginterface none
set optimization normal
set block-policy drop
set require-order yes
set fingerprints “/etc/pf.os”
# Packages normalization
scrub in all
# Nat / Binat / Redirects
binat on $int_if from 192.168.2.2 to any -> 200.xxx.xxx.xx
nat on $ext_if from 192.168.2.0/24 to any -> ($ext_if) # or 200.xxx.xxx.xx
rdr on $int_if proto tcp from 192.168.2.0/24 to any port 80 -> 127.0.0.1 port 3128
# Rules
block in log all
pass out on $ext_if proto { tcp, udp, icmp } all keep state
pass on lo0 from 127.0.0.1 to 127.0.0.1
pass on vr0 from 192.168.2.0/24 to 192.168.2.0/24 keep state
pass in on $ext_if proto tcp from any to ($ext_if) port $port_tcp_out_to_in keep state
pass in on $ext_if proto udp from any to ($ext_if) port $port_udp_out_to_in keep state
Loading PF rules:
~# pfctl -f /etc/pf.conf
Edit /etc/rc.conf to start PF on boot:
pf_enable=”YES” # Set to YES to enable packet filter (pf)
pf_rules=”/etc/pf.conf” # rules definition file for pf
pf_program=”/sbin/pfctl” # where the pfctl program lives
pf_flags=”" # additional flags for pfctl
pflog_enable=”YES”
pflog_logfile=”/var/log/pflog” # where pflogd should store the logfile
pflog_program=”/sbin/pflogd” # where the pflogd program lives
pflog_flags=”" # additional flags for pflogd
0 Responses to “Using PF as Firewall on FreeBSD”