Код: Выделить всё
wan_if="xl0"
lan_if="rl0"
loo_if="lo0"
def_host="x.x.x.x"
local_host="192.168.240.100"
lan_addr="192.168.240.0/24"
ext_addr="x.x.x.x"
#=================================================================
scrub in on $wan_if all
scrub out on $wan_if all
#=================================================================
table <ip_ints> persist file "/usr/local/etc/pf_table/ip_in"
table <ip_black> persist file "/usr/local/etc/pf_table/ip_black"
table <ssh_bruteforce> persist file "/usr/local/etc/pf_table/ssh_bruteforce"
table <ip_spam> persist file "/usr/local/etc/pf_table/ip_spam"
table <ip_permit> persist file "/usr/local/etc/pf_table/ip_permit"
table <ip_deny> persist file "/usr/local/etc/pf_table/ip_deny"
table <rfc1918> const { 10/8, 192.168/16, 172.16/12 }
#================================================================================================================
nat on $wan_if from $lan_addr to any -> $wan_if
rdr on $lan_if inet proto { tcp, udp } from $lan_addr to ! $local_host port { www, 8080 } -> $loo_if port 3128
#================================================================================================================
pass in quick on $loo_if all
pass out quick on $loo_if all
#====================================================================
lock drop in quick on $wan_if inet6 all
block drop in quick on $wan_if from any to 255.255.255.255
block drop in quick on $wan_if from { <fc1918>, <ip_black> } to any
block drop in quick on $wan_if from <ssh_bruteforce>
block in log quick on $wan_if proto tcp from any to any flags SF/SF
block in log quick on $wan_if proto tcp from any to any flags SR/SR
antispoof for { $loo_if, $lan_if, $wan_if }
#====================================================================
#=============================== WAN ================================
block in on $wan_if
pass in quick on $wan_if proto { tcp, udp } from any to $ext_addr port { smtp, ftp } keep state
pass in on $wan_if inet proto { tcp, udp } from <ip_in> to $ext_addr port 22 keep state
pass in on $wan_if inet proto { tcp, udp } from <ip_in> to $ext_addr port 110
pass in on $wan_if inet proto icmp from any to $wan_if keep state
pass in on $wan_if proto tcp from any to $wan_if port 22 flags S/SA modulate state (max-src-conn-rate 4/30, overload <s
pass out on $wan_if keep state
#=========================== END of WAN =============================
#====================================================================
#=============================== LAN ================================
block in on $lan_if
pass in quick on $lan_if inet proto icmp from $lan_addr to any keep state
pass in quick on $lan_if inet proto tcp from $lan_addr to any port { smtp, pop3, ftp } keep state
pass in on $lan_if inet proto { tcp, udp} from $lan_addr to $local_host port 53 keep state
pass in quick on $lan_if inet proto { tcp, udp } from <ip_permit> to any port { 22, 25, 80, 110, 443, 2121, 3128, 5190
pass out on $lan_if keep state
#=========================== END of LAN =============================