Allt som har med OpenBSD att göra plus allt annat!
You are not logged in.
# NIC's & General Network Config
ext_if = "em2"
int_if = "em1"
nat_net = "192.168.9.0/24"
tcp_services = "{ http, https, ssh, ftp, ftp-data, nicname }"
udp_services = "{ ntp, domain, nicname, isakmp }"
table <deny_ips> persist file "/etc/denyips"
table <known_ips> persist file "/etc/knownips"
# Quick Aliases
quad = "XXX.XXX.XXX.XXX"
torrent = "xxx"
# Settings
set skip on { lo, $int_if, enc0 }
set block-policy return
set fingerprints "/etc/pf.os"
set ruleset-optimization basic
set optimization normal
set state-policy if-bound
set limit states 500000
match in all scrub (no-df)
# IPsec Settings
ndrs = "XXX.XXX.XXX.XXX"
ndrs_nat = "10.0.0.0/23"
# NAT
nat on $ext_if inet from $nat_net to any -> ($ext_if)
# NAT Port redirection
rdr pass on $ext_if proto tcp from any to $ext_if port $torrent -> $quad port $torrent
rdr pass on $ext_if proto udp from any to $ext_if port $torrent -> $quad port $torrent
rdr pass on $ext_if proto tcp from !<deny_ips> to $ext_if port ftp -> $quad port ftp
rdr pass on $ext_if proto udp from !<deny_ips> to $ext_if port ftp-data -> $quad port ftp-data
rdr pass on $ext_if proto { tcp, udp } from !<deny_ips> to $ext_if port 4000:4200 -> $quad port 4000:4200
# Block all from external NIC
block in on $ext_if
# Antispoof
antispoof quick for $ext_if inet
# test
altq on $ext_if priq bandwidth 99Mb queue { q_pri, q_def }
queue q_pri priority 7
queue q_def priority 1 priq(default)
pass out quick on $ext_if proto tcp from $ext_if to any flags S/SA keep state queue (q_def, q_pri)
pass in quick on $ext_if proto tcp from any to $ext_if flags S/SA keep state queue (q_def, q_pri)
# IPsec
pass quick on $ext_if from $ndrs keep state
pass from { $nat_net, $ndrs_nat } to { $ndrs_nat, $nat_net } allow-opts # should allow multicasting from from net to net
# Torrent Rules
pass in quick on $ext_if proto tcp from any to $quad port $torrent
pass in quick on $ext_if proto udp from any to $quad port $torrent
# Allowed to pass out from different nets
pass out quick from { lo0, $nat_net } to any keep state
pass in quick from { $nat_net } to any keep state
# ICMP Echo allowed from non blocked ips.
pass quick inet proto icmp from <known_ips> to any
pass quick inet proto icmp from !<deny_ips> to any
# SSH
pass in quick on $ext_if proto tcp from <known_ips> to ($ext_if) port ssh
pass in quick on $ext_if proto tcp from !<deny_ips> to ($ext_if) port ssh
# Allow some internaltraffic to be passed out on the external NIC.
pass out on $ext_if proto tcp from { $ext_if } to any port $tcp_services
pass proto udp to any port $udp_services
pass out on $ext_if inet proto tcp from $ext_if to any port > 1024 flags S/AUPRFS modulate stateÄr detta en korrekt implementation, har försökt läsa på mig om ALTQ men förstår inte riktigt hur det fungerar, måste man speca köer på varje regel?
Offline
Du måste lägga kö på varje pass/rdr regel som du vill ha match på till just den regeln.
t.ex
pass in quick on $ext_if proto tcp from <known_ips> to ($ext_if) port ssh queue ssh
Offline