Gholam Mostafa Faridi <[email protected]> writes:
> In work place , we have over 24 computer and all of them are windows
> and , I have NAT server . this NAT server use FreeBSD 8.2 AMD 64 , and
> I use PF for NAT with FreeBSD 8.2 . after many search in google , I
> find this pf.conf
FreeBSD 8's PF uses the old NAT and scrub syntax, so you will have to
change those.
This block is superfluous (assuming you do not actually tweak, only
stating defaults)
> ############################### OPTIONS
> ############################################################
> #Default behaviour
> set timeout { interval 10, frag 30 }
> set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
> set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
> set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
> set timeout { icmp.first 20, icmp.error 10 }
> set timeout { other.first 60, other.single 30, other.multiple 60 }
> set timeout { adaptive.start 0, adaptive.end 0 }
> set limit { states 10000, frags 5000 }
> set loginterface $ext_if
> set optimization normal
> set block-policy drop
> set require-order yes
> set fingerprints "/etc/pf.os"
> set skip on lo0
> #set state-policy if-bound
> #Filter traffic for unusual packets
> scrub in all
match in all (no-df max-mss 1440) # or whatever fits your setup
> #NAT for the external traffic
> #Mask internal ip addresses with actual external ip address
> #nat pass on $ext_if from $Local_net to any -> $SERVER
>
> nat pass on $ext_if from $paltalk1 to any -> $NAT1
all of these would be in the new syntax something like
pass on $ext_if from $theonething nat-to $NATtheother
or you could rewrite to use match rules.
- Peter
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
