On 11/07/2011 02:47 AM, Peter N. M. Hansteen wrote:
Gholam Mostafa Faridi<[email protected]> writes:
In work place , we have over 24 computer and all of them are windows
and , I have NAT server . this NAT server use FreeBSD 8.2 AMD 64 , and
I use PF for NAT with FreeBSD 8.2 . after many search in google , I
find this pf.conf
FreeBSD 8's PF uses the old NAT and scrub syntax, so you will have to
change those.
This block is superfluous (assuming you do not actually tweak, only
stating defaults)
############################### OPTIONS
############################################################
#Default behaviour
set timeout { interval 10, frag 30 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
set timeout { adaptive.start 0, adaptive.end 0 }
set limit { states 10000, frags 5000 }
set loginterface $ext_if
set optimization normal
set block-policy drop
set require-order yes
set fingerprints "/etc/pf.os"
set skip on lo0
#set state-policy if-bound
#Filter traffic for unusual packets
scrub in all
match in all (no-df max-mss 1440) # or whatever fits your setup
#NAT for the external traffic
#Mask internal ip addresses with actual external ip address
#nat pass on $ext_if from $Local_net to any -> $SERVER
nat pass on $ext_if from $paltalk1 to any -> $NAT1
all of these would be in the new syntax something like
pass on $ext_if from $theonething nat-to $NATtheother
or you could rewrite to use match rules.
- Peter
thanks
all guys.
So I must change my pf.conf like this
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
cat /usr/local/pf/pf.conf
# $FreeBSD: src/share/examples/pf/faq-example1,v 1.1 2004/09/14 01:07:18
mlaier Exp $
# $OpenBSD: faq-example1,v 1.2 2003/08/06 16:04:45 henning Exp $
# Edited by: mfaridi
################################ MACROS
############################################################
ext_if = "sk0"
int_if = "re0"
External_net = "10.10.10.192/27"
Local_net = "192.168.0.0/24"
Local_Web = "192.168.0.10"
Local_Srv = "192.168.0.1"
Prtcol = "{ tcp, udp }"
Admin_IP = "{ 10.10.10.192/27, 11.11.11.0/21, 12.12.12.0/18 }"
ICMP_Types = "{ echorep, unreach, squench, echoreq, timex }"
#Define ports for common internet services
#TCP_SRV = "{ 25, 53, 80, 110, 143, 443, 465, 587, 993, 995,
8443 }"
#UDP_SRV = "{ 53 }"
TCP_SRV = "{ 80, 443 }"
UDP_SRV = "{ }"
Samba_TCP = "{ 139, 445 }"
Samba_UDP = "{ 137, 138 }"
SERVER = "10.10.10.200"
NAT1 = "10.10.10.194"
NAT2 = "10.10.10.195"
NAT3 = "10.10.10.196"
NAT4 = "10.10.10.197"
NAT5 = "10.10.10.198"
NAT6 = "10.10.10.199"
NAT7 = "10.10.10.201"
NAT8 = "10.10.10.202"
NAT9 = "10.10.10.203"
NAT10 = "10.10.10.204"
NAT11 = "10.10.10.205"
NAT12 = "10.10.10.206"
NAT13 = "10.10.10.207"
NAT14 = "10.10.10.208"
NAT15 = "10.10.10.209"
NAT16 = "10.10.10.210"
NAT17 = "10.10.10.211"
NAT18 = "10.10.10.212"
NAT19 = "10.10.10.213"
NAT20 = "10.10.10.214"
NAT21 = "10.10.10.215"
NAT22 = "10.10.10.216"
NAT23 = "10.10.10.217"
NAT24 = "10.10.10.218"
NAT25 = "10.10.10.219"
#### All IP of Groups which can be connect to Internet
paltalk1 = "{ 192.168.0.20, 192.168.0.21, 192.168.0.22 }"
paltalk2 = "{ 192.168.0.23, 192.168.0.24, 192.168.0.25 }"
paltalk3 = "{ 192.168.0.26, 192.168.0.27, 192.168.0.28,
192.168.0.29 }"
webdsgn1 = "{ 192.168.0.30, 192.168.0.31, 192.168.0.32 }"
webdsgn2 = "{ 192.168.0.33, 192.168.0.34, 192.168.0.35 }"
webdsgn3 = "{ 192.168.0.36, 192.168.0.37, 192.168.0.38 }"
webdsgn4 = "{ 192.168.0.39, 192.168.0.40, 192.168.0.41 }"
webdsgn5 = "{ 192.168.0.42, 192.168.0.43, 192.168.0.44 }"
webdsgn6 = "{ 192.168.0.45, 192.168.0.46, 192.168.0.47 }"
webdsgn7 = "{ 192.168.0.48, 192.168.0.49, 192.168.0.50 }"
webdsgn8 = "{ 192.168.0.51, 192.168.0.52, 192.168.0.53,
192.168.0.54 }"
rased1 = "{ 192.168.0.60, 192.168.0.61, 192.168.0.62 }"
rased2 = "{ 192.168.0.63, 192.168.0.64, 192.168.0.65 }"
rased3 = "{ 192.168.0.66, 192.168.0.67, 192.168.0.68 }"
rased4 = "{ 192.168.0.69, 192.168.0.70 }"
rased5 = "{ 192.168.0.200, 192.168.0.201, 192.168.0.202,
192.168.0.203, 192.168.0.204, 192.168.0.205 }"
rased6 = "{ 192.168.0.206, 192.168.0.207, 192.168.0.208,
192.168.0.209, 192.168.0.210, 192.168.0.211 }"
rased7 = "{ 192.168.0.212, 192.168.0.213, 192.168.0.214,
192.168.0.215, 192.168.0.216, 192.168.0.217 }"
rased8 = "{ 192.168.0.218, 192.168.0.219, 192.168.0.220,
192.168.0.221, 192.168.0.222, 192.168.0.223, 192.168.0.224,
192.168.0.225 }"
admin1 = "{ 192.168.0.55, 192.168.0.56, 192.168.0.57 }"
admin2 = "{ 192.168.0.58, 192.168.0.59 }"
############################### TABLES
############################################################
#Define privileged network address sets
table <priv_nets> const { 127.0.0.0/8, 192.168.0.0/16, 13.13.0.0/12,
10.0.0.0/8, 0.0.0.0/8, \
14.14.0.0/16, 192.0.2.0/24, 15.15.15.0/23,
224.0.0.0/3 }
table <badguys> persist file "/usr/local/pf/Network/blocklist.lst"
table <hackers> persist file "/usr/local/pf/Network/hackers.lst"
#Define Favoured client hosts
table <Admin> persist file "/usr/local/pf/Network/Admin.lst"
table <Paltalk> persist file "/usr/local/pf/Network/Paltalk.lst"
table <WebDsgn> persist file "/usr/local/pf/Network/WebDsgn.lst"
table <Rased> persist file "/usr/local/pf/Network/Rased.lst"
table <LocalHost> const { self }
############################### OPTIONS
############################################################
#Default behaviour
set timeout { interval 10, frag 30 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
set timeout { adaptive.start 0, adaptive.end 0 }
set limit { states 10000, frags 5000 }
set loginterface $ext_if
set optimization normal
set block-policy drop
set require-order yes
set fingerprints "/etc/pf.os"
set skip on lo0
#set state-policy if-bound
############################### TRAFFIC NORMALIZATION
##############################################
#Filter traffic for unusual packets
scrub in all
############################### TRANSLATION
######################################################
#NAT for the external traffic
#Mask internal ip addresses with actual external ip address
#nat pass on $ext_if from $Local_net to any -> $SERVER
pass on $ext_if from $theonething nat-to $NATtheother
pass on $ext_if from $paltalk1 nat-to $NAT1
pass on $ext_if from $paltalk2 nat-to $NAT2
pass on $ext_if from $paltalk3 nat-to $NAT3
pass on $ext_if from $webdsgn1 nat-to $NAT4
pass on $ext_if from $webdsgn2 nat-to $NAT5
pass on $ext_if from $webdsgn3 nat-to $NAT6
pass on $ext_if from $webdsgn4 nat-to $NAT7
pass on $ext_if from $webdsgn5 nat-to $NAT8
pass on $ext_if from $webdsgn6 nat-to $NAT9
pass on $ext_if from $webdsgn7 nat-to $NAT10
pass on $ext_if from $webdsgn8 nat-to $NAT11
pass on $ext_if from $rased1 nat-to $NAT12
pass on $ext_if from $rased2 nat-to $NAT13
pass on $ext_if from $rased3 nat-to $NAT14
pass on $ext_if from $rased4 nat-to $NAT15
pass on $ext_if from $rased5 nat-to $NAT16
pass on $ext_if from $rased6 nat-to $NAT17
pass on $ext_if from $rased7 nat-to $NAT18
pass on $ext_if from $rased8 nat-to $NAT19
pass on $ext_if from $admin1 nat-to $NAT20
pass on $ext_if from $admin2 nat-to $NAT21
#rdr on $ext_if proto tcp from $Admin_IP to $SERVER port 5900 ->
192.168.0.100 port 5900
#rdr on $ext_if proto tcp from $Admin_IP to $SERVER port 2222 ->
192.168.0.50 port 22
############################### PACKET FILTERING
#################################################
# Default Rule
pass quick on { $ext_if, $int_if } all keep state
# End of File: pf.conf
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%5555
is my pf.conf correct right now and work in openbsd 5 without problem ?
thanks
