Paste #690855

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
root@schlimmwutz:/usr/local/etc/pf.d # cat pf.conf | gsed '/#/d'
set ruleset-optimization basic
set optimization normal
set timeout { adaptive.start 0, adaptive.end 0 }
set limit states 403000
set limit src-nodes 403000

set skip on pfsync0
set skip on re1

scrub on lo0 all
scrub on bridge0 all
scrub on vlan75 all
scrub on vlan11 all
scrub on vlan12 all
scrub on pppoe0 all
scrub on wlan0 all
scrub on re0 all
scrub on re1 all
scrub on re2 all

nat on pppoe0 inet from 127.0.0.0/8 to any port 500 -> pppoe0 static-port
nat on pppoe0 inet from (bridge0:network) to any -> pppoe0 port 1024:65535
nat on pppoe0 inet from (vlan75:network) to any -> pppoe0 port 1024:65535
nat on pppoe0 inet from (vlan12:network) to any -> pppoe0 port 1024:65535
nat on pppoe0 inet from 127.0.0.0/8 to any -> pppoe0 port 1024:65535

rdr pass inet proto tcp from {(bridge0:network)} to any port {80} -> 127.0.0.1 port 3128
rdr pass inet proto tcp from {(bridge0:network)} to any port {443} -> 127.0.0.1 port 3129
rdr pass inet proto tcp from {(vlan12:network)} to any port {80} -> 127.0.0.1 port 3128
rdr pass inet proto tcp from {(vlan12:network)} to any port {443} -> 127.0.0.1 port 3129
rdr pass inet proto tcp from {(vlan75:network)} to any port {80} -> 127.0.0.1 port 3128
rdr pass inet proto tcp from {(vlan75:network)} to any port {443} -> 127.0.0.1 port 3129

antispoof log for bridge0
antispoof log for vlan75
antispoof log for vlan11
antispoof log for vlan12
antispoof log for pppoe0
antispoof log for wlan0
antispoof log for re0
antispoof log for re1
antispoof log for re2

block in log inet from {any} to {any}
block in log inet6 from {any} to {any}
block in log quick inet proto {tcp udp} from {any} port {0} to {any}
block in log quick inet6 proto {tcp udp} from {any} port {0} to {any}
block in log quick inet proto {tcp udp} from {any} to {any} port {0}
block in log quick inet6 proto {tcp udp} from {any} to {any} port {0}

pass in log quick on {vlan12 vlan75 bridge0} proto udp from {any} port {68} to {255.255.255.255} port {67}
pass in log quick on {vlan12 vlan75 bridge0} proto udp from {any} port {68} to {(self)} port {67}
pass out log quick on {vlan12 vlan75 bridge0} proto udp from {(self)} port {67} to {any} port {68}
pass in quick on {vlan12 vlan75 bridge0} inet proto udp from {any} to {(self)} port {53} keep state

pass in quick on vlan75 inet proto udp from {(vlan75:network)} to {(self)} port {53} keep state
pass in quick on vlan75 inet proto icmp from {(vlan75:network)} to {(self)} keep state
pass in quick on vlan75 inet proto tcp from {(vlan75:network)} to {(self)} port {80 443 3128 3129} keep state

pass in log quick on lo0 from {any} to {any}
pass out log from {any} to {any} keep state allow-opts

pass in quick on bridge0 inet proto tcp from {(bridge0:network)} to {(self)} port {22 80 443 873 3128 3129} keep state
pass in quick on vlan75 inet proto tcp from {(bridge0:network)} to {(vlan75:network)} port {22 80 443} keep state

pass in quick on vlan12 inet proto icmp from {(vlan12:network)} to {(self)} keep state
pass in quick on vlan12 inet proto tcp from {(vlan12:network)} to {(self)} port {22 80 443 873 3128} keep state
pass out quick on vlan12 inet proto tcp from {(self)} to {(vlan12:network)} port {22 80 443 873} keep state
pass out quick on vlan12 inet proto icmp from {(self)} to {(vlan12:network)} keep state
pass in quick on vlan12 inet proto tcp from {(self)} to {(vlan12:network)} port {22 80 443 873} keep state