[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Script



I have made a small PF script for my agency but I don't know if it's
really good and effective. If anyone can take a look and report what are
the problems...
Thanks a lot, and have a good day.
The script :
-------------
# Macros
ext_if="ep0"
dmz_if="ne3"
ss1_if="vr0"
fw=192.168.1.0
dmz_net="192.168.151.0/24"
ss1_net="192.168.251.0/24"
video = "{1720}"
ssh = "{ssh}"
chat = "{irc, 5190}"
http = "{http, https}"
mail = "{smtp, 993, 995}"
# Tables
table <spamd> persist
table <spamd-white> persist
# Options
set block-policy drop
set loginterface $ext_if
set timeout interval 10
set timeout frag 30
set limit { frags 5000, states 2500 }
set optimization aggressive
# Normalization
scrub in on $ext_if all fragment reassemble min-ttl 15 max-mss 1400
# Queues
altq on $dmz_if cbq bandwidth 3Mb queue { dmz_default, dmz_http, dmz_ssh,
dmz_mail }
queue dmz_default cbq(default ecn)
queue dmz_http bandwidth 10% priority 3
queue dmz_ssh bandwidth 100Kb priority 7 cbq(borrow)
queue dmz_mail priority 1
altq on $ss1_if cbq bandwidth 6Mb queue { ss1_default, ss1_http, ss1_ssh,
ss1_mail, ss1_chat, ss1_video }
queue ss1_default cbq(default ecn)
queue ss1_http bandwidth 20% priority 3
queue ss1_ssh bandwidth 100Kb priority 7 cbq(borrow)
queue ss1_mail priority 1
queue ss1_chat priority 1
queue ss1_video bandwidth 1Mb priority 7 cbq(red)
altq on $ext_if cbq bandwidth 6Mb queue { ss1_default, ss1_http, ss1_ssh,
ss1_mail, ss1_chat, ss1_video }
# Translation
nat on $ext_if from !($ext_if) -> ($ext_if:0)
rdr pass on $ext_if proto tcp from <spamd> to port smtp -> 127.0.0.1 port
spamd
rdr on $ext_if proto tcp from any to any port 21 -> 192.168.151.150 port 22
rdr on $ext_if proto tcp from any to any port 25 -> 192.168.151.2
rdr on $ext_if proto tcp from any to any port 80 -> 192.168.151.150
rdr on $ext_if proto tcp from any to any port 443 -> 192.168.151.150
rdr on $ext_if proto tcp from any to any port 993 -> 192.168.151.150
rdr on $ext_if proto tcp from any to any port 995 -> 192.168.151.150
rdr on $ext_if proto tcp from any to any port 14657 -> 192.168.151.57
rdr on $ext_if proto tcp from any to any port 14677 -> 192.168.151.77
rdr on $ext_if proto tcp from any to any port 22722 -> 192.168.151.77 port 22
rdr on $ext_if proto tcp from any to any port 20002 -> 192.168.151.77 port
2003
rdr on $ext_if proto udp from any to any port 14657 -> 192.168.151.57
rdr on $ext_if proto tcp from any to any port 14677 -> 192.168.151.77
# Filters
block all
pass in on $dmz_if inet proto tcp from any to $dmz_net port $http flags
S/SA keep state queue dmz_http
pass in on $dmz_if inet proto tcp from any to $dmz_net port $ssh flags
S/SA keep state queue dmz_ssh
pass in on $dmz_if inet proto tcp from any to $dmz_net port $mail flags
S/SA keep state queue dmz_mail
pass in on $dmz_if inet proto tcp from any to $dmz_net keep state queue
dmz_default
pass in on $ss1_if inet proto tcp from any to $ss1_net port $http flags
S/SA keep state queue ss1_http
pass in on $ss1_if inet proto tcp from any to $ss1_net port $ssh flags
S/SA keep state queue ss1_ssh
pass in on $ss1_if inet proto tcp from any to $ss1_net port $mail flags
S/SA keep state queue ss1_mail
pass in on $ss1_if inet proto udp from any to $ss1_net port $chat queue
ss1_chat
pass in on $ss1_if inet proto udp from any to $ss1_net port $video queue
ss1_video
pass in on $ss1_if inet proto tcp from any to $dmz_net keep state queue
dmz_default
pass out quick on $_if from $dmz_net to any modulate state
pass out quick on $ss1_if from $ss1_net to any modulate state
-------------