Код: Выделить всё
int_if="sk0"
ext_if="xl0"
lan_work="192.168.100.0/24"
udp_srv="{53, 1700, 1325, 3010}"
tcp_srv="{22, 25, 53, 110, 123, 443, 465, 995, 1700, 3900, 4040, 8443, 9091, 9080, 9443}"
icmp_types="{ echoreq, unreach }"
priv_net="{ 10.0.0.0/8, 172.16.0.0/16, 0.0.0.0/8, 169.254.0.0/16, 224.0.0.0/4, 240.0.0.0/4, 192.168.0.0/16 }"
set block-policy drop
set skip on lo0
set skip on $int_if
scrub in on xl0 all no-df
scrub on xl0 all reassemble tcp
scrub out all
nat pass on $ext_if from $lan_work to any -> ($ext_if)
rdr on $int_if proto tcp from $lan_work to any port 80 -> 127.0.0.1 port 3128
antispoof quick for $int_if
antispoof quick for $ext_if
pass in quick proto tcp tagged scanning flags S/SA modulate state
table <sshguard> persist
block in quick on $ext_if proto tcp from <sshguard> to any port 22 label "ssh bruteforce"
block all
block drop in quick on $ext_if from $priv_net to any
block drop out quick on $ext_if from any to $priv_net
pass in on $ext_if inet proto tcp from any to $ext_if port $tcp_srv flags S/SA keep state
pass in on $ext_if inet proto udp from any to any port $udp_srv
pass in quick on $int_if from $int_if:network to any keep state
pass in quick on $int_if inet proto {udp} from $int_if:network to any port $udp_srv keep state
pass out on $int_if from any to $int_if:network keep state
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp, gre } all keep state
pass in inet proto icmp all icmp-type $icmp_types