- 论坛徽章:
- 0
|
#pf.conf的内容就是这样的.
ext_if="vr0"
int_if="xl0"
tcp_services="{ 22, 113 }"
icmp_types="echoreq"
NETWORK_A="192.168.2.0/24"
priv_nets="{
127.0.0.0/8,
192.168.0.0/16,
172.16.0.0/12,
10.0.0.0/8
}"
# set optimization aggressive
set optimization conservative
set block-policy return
set loginterface $ext_if
scrub in all
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr on $int_if proto tcp from any to any port www -> 127.0.0.1 port 3128
rdr pass on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
nat on $ext_if from !($ext_if) -> ($ext_if:0)
block all
pass on lo0 all
anchor "ftp-proxy/*"
block drop in log quick on $ext_if from $priv_nets to any
block drop out log quick on $ext_if from any to $priv_nets
pass in log quick on $ext_if inet proto tcp from any to ($ext_if) port 22 flags S/SA keep state
pass in inet proto icmp all icmp-type echoreq keep state
pass out inet proto icmp all icmp-type echoreq keep state
pass in on $int_if from $int_if:network to any keep state
pass out keep state
#pass out on $ext_if proto tcp from ($ext_if) to any modulate state flags S/SA
#pass out on $ext_if inet proto {udp,icmp} from ($ext_if) to any keep state
# |
|