# $OpenBSD: pf.conf,v 1.27 2004/03/02 20:13:55 cedric Exp $ # # See pf.conf(5) and /usr/share/pf for syntax and examples. set loginterface em1 set block-policy return ext_if="em0" int_if="em1" #[snip defines] scrub in altq on $ext_if priq bandwidth 3000Kb queue { q_pri, q_def } queue q_pri priority 7 queue q_def priority 1 priq(default) nat pass on $ext_if from 10.1.1/24 to any -> $nat_gateway nat pass on $ext_if from 10.1.0/24 to any -> $nat_gateway block return in log block drop quick proto { tcp, udp } from any to any port { 445, 5554, 9996 } pass in proto icmp all keep state pass out keep state queue q_def pass out from any to $vpn_endpoint keep state ( src.track 3600 ) queue q_def pass quick on { lo $int_if } antispoof quick for { lo $int_if } block log quick on $ext_if from $managed_switch to any block quick on $ext_if from any to $managed_switch pass in on $ext_if proto tcp from any to { $gateway $prozac $paxil $effexor $effexor2 } port ssh synproxy state queue(q_def, q_pri) # XXX - zoloft can't use synproxy when I ssh to myself. pass in on $ext_if proto tcp from any to $zoloft port ssh modulate state queue(q_def, q_pri) pass in from any to { $effexor2 $vpn $voip } keep state pass in proto udp from any to $effexor2 port syslog keep state pass in proto tcp from any to { $smtp $prozac } port { smtp submission 465 } synproxy state pass in proto tcp from any to { $pop $smtp $prozac } port { pop3 pop3s imap imaps } synproxy state pass in proto tcp from any to { $www $prozac } port { www https } synproxy state pass in proto tcp from any to { $ldap $prozac } port { ldap ldaps } synproxy state pass in proto { tcp udp } from any to { $ns $ns1 $zoloft $resolv } port domain keep state