в итоге имею не рабочий коф
- ext_if="rl1"
int_if="rl0"
int_net="192.168.1.0/24"
ext2_addr="111.111.111.111"
ext_addr="222.222.222.222"
int_addr="{192.168.1.18, 192.168.1.2}"
ports="{ 25, 110, 995, 465, 143, 993, 3389}"
srvs="{192.168.1.18, 192.168.1.2, 192.168.1.1, 192.168.1.3, 192.168.1.16}"
dns_srv="{192.168.1.3, 192.168.1.2, 217.196.24.242}"
mx_srv="192.168.1.1"
# OPtions for IP
set block-policy drop
# Allow L0 interface !
set skip on lo0
set fingerprints "/etc/pf.os"
# Normalization: reassemble fragments and resolve or reduce traffic ambiguities.
scrub in all fragment reassemble
#nat on $ext_if from 192.168.1.117 to any -> $ext_addr
nat on $ext_if from 192.168.1.68 to any -> $ext_addr
#nat on $ext_if from $int_net to any -> $ext_addr
nat on $ext_if from $srvs to any -> $ext_addr
# Servers NAT
nat pass on $ext_if from $srvs to any -> $ext_addr
rdr on $ext_if proto tcp from any to $ext_addr port 8880 -> 192.168.1.18 port 80
rdr on $ext_if proto tcp from any to $ext_addr port 110 -> 192.168.1.1 port 110
rdr on $ext_if proto tcp from any to $ext_addr port 995 -> 192.168.1.1 port 995
rdr on $ext_if proto tcp from any to $ext_addr port 25 -> 192.168.1.1 port 25
rdr on $ext_if proto tcp from any to $ext_addr port 465 -> 192.168.1.1 port 465
rdr on $ext_if proto tcp from any to $ext_addr port 143 -> 192.168.1.1 port 143
rdr on $ext_if proto tcp from any to $ext_addr port 993 -> 192.168.1.1 port 993
rdr on $ext_if proto tcp from any to $ext_addr port 3389 -> 192.168.1.16 port 3389
rdr on $ext_if proto tcp from any to $ext_addr port 3390 -> 192.168.1.3 port 3389
rdr on $ext_if proto tcp from any to $ext_addr port 3391 -> 192.168.1.1 port 3389
rdr on $ext_if proto tcp from any to $ext_addr port 1352 -> 192.168.1.16 port 1352
#rdr on $ext_if proto tcp from any to $ext_addr port 443 -> 192.168.1.1 port 443
pass all
#block all
#block all
##################### ONLY FOR TEST!!! ##################
###### DELETE OR COMMENT AFTER INSTALL !!!###############
pass out proto tcp from $int_net to any keep state
pass out on $int_if proto tcp from 192.168.1.3 to any keep state
pass out on $int_if proto tcp from any to 192.168.1.3 keep state
pass out on $ext_if proto tcp from 192.168.1.3 to any keep state
pass out on $ext_if proto tcp from any to 192.168.1.3 keep state
pass in on $int_if proto tcp from 192.168.1.3 to any keep state
pass in on $int_if proto tcp from any to 192.168.1.3 keep state
pass in on $ext_if proto tcp from 192.168.1.3 to any keep state
pass in on $ext_if proto tcp from any to 192.168.1.3 keep state
pass out on $int_if proto tcp from 192.168.1.2 to any keep state
pass out on $ext_if proto tcp from 192.168.1.2 to any keep state
pass in on $int_if proto tcp from 192.168.1.2 to any keep state
pass in on $ext_if proto tcp from 192.168.1.2 to any keep state
pass out on $int_if proto tcp from 192.168.1.18 to any keep state
pass out on $ext_if proto tcp from 192.168.1.18 to any keep state
pass in on $int_if proto tcp from 192.168.1.18 to any keep state
pass in on $ext_if proto tcp from 192.168.1.18 to any keep state
pass out on $int_if proto tcp from 192.168.1.1 to any keep state
pass out on $ext_if proto tcp from 192.168.1.1 to any keep state
pass in on $int_if proto tcp from 192.168.1.1 to any keep state
pass in on $ext_if proto tcp from 192.168.1.1 to any keep state
#########################################################
####################### PING ###########################
pass in on $int_if proto icmp from $int_net to $int_net icmp-type echoreq
pass out on $int_if proto icmp from $int_net to $int_net icmp-type echoreq
pass in on $ext_if proto icmp from $ext_if to any icmp-type echoreq keep state
pass out on $ext_if proto icmp from $ext_if to any icmp-type echoreq keep state
#########################################################
################### DNS #################################
pass in proto tcp from any to any port 53 keep state
pass in proto udp from any to any port 53 keep state
pass out proto tcp from any to any port 53 keep state
pass out proto udp from any to any port 53 keep state
#########################################################
########## MAIL SERVER ##############################
#########################################################
############ SMTP External ##############################
pass in proto tcp from any to $ext_addr port 25 keep state
pass out proto tcp from any to $ext_addr port 25 keep state
pass in proto tcp from any to $mx_srv port 25 keep state
pass out proto tcp from any to $mx_srv port 25 keep state
#########################################################
############ SMTPS External #############################
pass in proto tcp from any to $ext_addr port 465 keep state
pass out proto tcp from any to $ext_addr port 465 keep state
pass in proto tcp from any to $mx_srv port 465 keep state
pass out proto tcp from any to $mx_srv port 465 keep state
#########################################################
############ POP3 External ##############################
pass in proto tcp from any to $ext_addr port 110 keep state
pass out proto tcp from any to $ext_addr port 110 keep state
pass in proto tcp from any to $mx_srv port 110 keep state
pass out proto tcp from any to $mx_srv port 110 keep state
#########################################################
############ POP3S External #############################
pass in proto tcp from any to $ext_addr port 995 keep state
pass out proto tcp from any to $ext_addr port 995 keep state
pass in proto tcp from any to $mx_srv port 995 keep state
pass out proto tcp from any to $mx_srv port 995 keep state
#########################################################
############ IMAP External ##############################
pass in proto tcp from any to $ext_addr port 143 keep state
pass out proto tcp from any to $ext_addr port 143 keep state
pass in proto tcp from any to $mx_srv port 143 keep state
pass out proto tcp from any to $mx_srv port 143 keep state
#########################################################
############ IMAPS External #############################
pass in proto tcp from any to $ext_addr port 993 keep state
pass out proto tcp from any to $ext_addr port 993 keep state
pass in proto tcp from any to $mx_srv port 993 keep state
pass out proto tcp from any to $mx_srv port 993 keep state
#########################################################
############### END OF MAIL SERVER ######################
#########################################################
############### USERS CONFIG ############################
#########################################################
#########################################################
################ BLOCK LIST #####################
#########################################################
#***************************** SYS PORTS **************************#
block in quick on $ext_if proto tcp from any to any port 3306
block in quick on $ext_if proto tcp from any to any port 10000
#
block in quick on $int_if proto tcp from 127.0.0.1 to any
block out quick on $ext_if proto tcp from any to any port 3128
block out quick on $ext_if proto tcp from any to 207.176.6.65
block out quick on $ext_if proto tcp from $ext_if to 207.176.6.149
block out quick on $ext_if proto tcp from $ext_if to 72.35.77.43
block out quick on $ext_if proto tcp from $ext_if to 228.53.64.170
block out quick on $ext_if proto tcp from $ext_if to 61.159.224.176
#########################################################
################ THE END Config #####################
#########################################################
старый почтарь висит на 192.168.1.1
тыкните носом чего я накосячил в конфиге