Difference between revisions of "OpenBSD Firewall / PF"
| Line 11: | Line 11: | ||
Rulesdump | Rulesdump | ||
| − | Date | + | Date 24-December-2011 |
| − | + | ||
<pre> | <pre> | ||
| Line 18: | Line 18: | ||
# PF Rules ACKspace gateway 2 | # PF Rules ACKspace gateway 2 | ||
| − | |||
| + | ############################ | ||
| + | ### Macros / Definitions ### | ||
| + | ############################ | ||
| + | |||
| + | ## Interfaces ## | ||
| + | |||
| + | # WAN interface | ||
ext_if = "fxp0" | ext_if = "fxp0" | ||
| − | int_if = "{ | + | # LAN interface |
| + | int_if = "fxp1" | ||
| + | |||
| + | # VLAN interfaces (ALLDAY / VLAN33 Excluded) | ||
| + | vlan_if = "{ \ | ||
vlan10 vlan11 vlan12 vlan13 vlan14 vlan15 vlan16 vlan17 vlan18 vlan19 \ | vlan10 vlan11 vlan12 vlan13 vlan14 vlan15 vlan16 vlan17 vlan18 vlan19 \ | ||
vlan20 vlan21 vlan22 vlan23 vlan24 vlan25 vlan26 vlan27 vlan28 vlan29 \ | vlan20 vlan21 vlan22 vlan23 vlan24 vlan25 vlan26 vlan27 vlan28 vlan29 \ | ||
| − | vlan30 vlan31 vlan32 | + | vlan30 vlan31 vlan32 vlan34 vlan35 vlan36 vlan37 vlan38 vlan39 \ |
vlan40 vlan41 vlan42 vlan43 vlan44 vlan45 vlan46 vlan47 vlan48 vlan49 \ | vlan40 vlan41 vlan42 vlan43 vlan44 vlan45 vlan46 vlan47 vlan48 vlan49 \ | ||
| − | vlan50 vlan51 vlan52 vlan53 vlan54 vlan55 vlan56 vlan57 }" | + | vlan50 vlan51 vlan52 vlan53 vlan54 vlan55 vlan56 vlan57}" |
| + | |||
| + | ## IP adresses ## | ||
| + | |||
| + | # WAN adress | ||
gw2_ext = "213.125.94.212" | gw2_ext = "213.125.94.212" | ||
| − | + | ||
| − | + | # Local adress ranges | |
private_networks = "{ 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 255.255.255.255/32, 127.0.0.0/8 }" | private_networks = "{ 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 255.255.255.255/32, 127.0.0.0/8 }" | ||
| − | |||
| − | # Skip any filtering if it is on | + | ######################## |
| + | ### Default Policies ### | ||
| + | ######################## | ||
| + | |||
| + | # Skip any filtering if it is on interface localhost | ||
set skip on lo | set skip on lo | ||
| − | |||
| − | |||
# Provide nice blocked messages | # Provide nice blocked messages | ||
set block-policy return | set block-policy return | ||
| + | # Block all unless a allow rule exists | ||
| + | block all | ||
| − | ### | + | ####################### |
| − | + | ### Cleanup Packets ### | |
| − | # | + | ####################### |
| − | |||
| − | |||
| − | # | + | # Reassemble packets |
| + | set reassemble yes | ||
# Scrub packets | # Scrub packets | ||
| − | match in all scrub ( | + | match in all scrub (max-mss 1472) |
match out all scrub (random-id) | match out all scrub (random-id) | ||
# Antispoof | # Antispoof | ||
| − | antispoof | + | antispoof quick for { $ext_if } inet |
| + | |||
| + | # Block bogus packets | ||
| + | block in quick on $ext_if from no-route to any | ||
| + | block in quick on $ext_if from any to 255.255.255.255 | ||
| + | block in quick on $ext_if from any to $private_networks | ||
| + | block in quick on $ext_if from $private_networks to any | ||
| + | block return out quick on $ext_if from any to $private_networks | ||
| + | |||
| − | # | + | ############ |
| − | + | ### NAT #### | |
| − | + | ############ | |
| − | |||
| − | |||
| − | |||
| − | + | # NAT all interfaces to WAN | |
match out on $ext_if from any to any nat-to $gw2_ext | match out on $ext_if from any to any nat-to $gw2_ext | ||
| − | ### | + | ##################### |
| + | ### SPECIAL rules ### | ||
| + | ##################### | ||
| − | # | + | # Help with Active and Passive FTP |
anchor "ftp-proxy/*" | anchor "ftp-proxy/*" | ||
pass in quick on $int_if proto tcp from any to port 21 rdr-to 127.0.0.1 port 8021 | pass in quick on $int_if proto tcp from any to port 21 rdr-to 127.0.0.1 port 8021 | ||
| − | |||
| − | |||
| − | |||
| − | # Allow incoming | + | ###################### |
| + | ### Pass IN rules ### | ||
| + | ###################### | ||
| + | |||
| + | # Allow incoming SSH and ICMP on WAN interface | ||
| + | pass in on $ext_if inet proto tcp from any to $gw2_ext port 22 | ||
| + | pass in on $ext_if inet proto icmp from any to $gw2_ext icmp-type echoreq | ||
| + | |||
| + | # Allow incoming ALL on LAN interfaces | ||
pass in on $int_if | pass in on $int_if | ||
| − | ## | + | # Allow incoming ALL on VLAN Interfaces |
| + | pass in on $vlan_if | ||
| + | |||
| + | |||
| + | ###################### | ||
| + | ### Redirect rules ### | ||
| + | ###################### | ||
| + | |||
| + | ## ACKspace CAM 2 / 10.0.30.253 | ||
| + | # | ||
| + | # TCP port 25380 to port 80 (HTTP) | ||
| + | pass in on $ext_if inet proto tcp from any to $gw2_ext port 25380 rdr-to 10.0.30.253 port 80 | ||
| + | ## | ||
| + | |||
| + | |||
| + | |||
| + | |||
| + | ### VM RELATED ### | ||
| + | |||
| + | # For usage with the VM's (10.0.50.xxx / VLAN50) use the first two digits to indicate the intenal IP | ||
| + | # and the last three to indicate the port # Example : 10.0.50.33 port 88 becomes WAN port 33088 | ||
| + | # Unless its a specific service, like gameports etc. | ||
| − | |||
| − | |||
| − | |||
| + | ## VMware Host 1 / 10.0.50.1 | ||
| + | # | ||
| + | # Use TEAMVIEWER to ACKspace vSphere Client | ||
| + | # | ||
| + | # TCP port 01443 (vSphere Client) | ||
| + | # pass in on $ext_if inet proto tcp from any to $gw2_ext port 01443 rdr-to 10.0.50.1 port 443 | ||
| + | # | ||
| + | # TCP port 00902 (vSphere VM console) | ||
| + | # pass in on $ext_if inet proto tcp from any to $gw2_ext port 00902 rdr-to 10.0.50.1 port 902 | ||
| + | ## | ||
| − | |||
| − | # TCP port | + | ## VMware Host 2 / 10.0.50.2 |
| − | pass in on $ext_if inet proto tcp from any to $gw2_ext port | + | # Use TEAMVIEWER to ACKspace vSphere Client |
| + | # | ||
| + | # TCP port 01443 (vSphere Client) | ||
| + | # pass in on $ext_if inet proto tcp from any to $gw2_ext port 01443 rdr-to 10.0.50.2 port 443 | ||
| + | # | ||
| + | # TCP port 00902 (vSphere VM console) | ||
| + | # pass in on $ext_if inet proto tcp from any to $gw2_ext port 00902 rdr-to 10.0.50.2 port 902 | ||
| + | ## | ||
| + | |||
| + | |||
| + | ## VM Debian Q2 / 10.0.50.11 | ||
| + | # | ||
| + | # TCP port 110022 to port 22 (SSH) | ||
| + | pass in on $ext_if inet proto tcp from any to $gw2_ext port 11022 rdr-to 10.0.50.11 port 22 | ||
| + | # | ||
# TCP+UDP portrange 27910-27915 (Quake2) | # TCP+UDP portrange 27910-27915 (Quake2) | ||
| − | pass in on $ext_if inet proto tcp from any to $gw2_ext port 27910:27915 rdr-to 10.0.50.11 | + | pass in on $ext_if inet proto tcp from any to $gw2_ext port 27910:27915 rdr-to 10.0.50.11 |
| − | pass in on $ext_if inet proto udp from any to $gw2_ext port 27910:27915 rdr-to 10.0.50.11 | + | pass in on $ext_if inet proto udp from any to $gw2_ext port 27910:27915 rdr-to 10.0.50.11 |
| + | # TCP port 11080 (Webserver) | ||
| + | pass in on $ext_if inet proto tcp from any to $gw2_ext port 11080 rdr-to 10.0.50.11 port 80 | ||
| + | ## | ||
| + | |||
| + | ## VM Debian OpenVPN / 10.0.50.13 | ||
| + | # | ||
| + | # TCP port 13022 to port 22 (SSH) | ||
| + | pass in on $ext_if inet proto tcp from any to $gw2_ext port 13022 rdr-to 10.0.50.13 port 22 | ||
| + | # TCP port 13443 to port 443(VPN TUNNEL TCP) | ||
| + | pass in on $ext_if inet proto tcp from any to $gw2_ext port 13443 rdr-to 10.0.50.13 port 443 | ||
| + | # TCP port 443 (HTTPS / VPN TUNNEL TCP) | ||
| + | pass in on $ext_if inet proto tcp from any to $gw2_ext port 443 rdr-to 10.0.50.13 | ||
| + | # UDP port 1194 (OpenVPN / VPN TUNNEL UDP) | ||
| + | pass in on $ext_if inet proto udp from any to $gw2_ext port 1194 rdr-to 10.0.50.13 | ||
| + | ## | ||
| + | |||
| + | |||
| + | ## VM Debian FTP / 10.0.50.14 | ||
| + | # | ||
| + | # TCP port 14021 to port 21 (FTP) | ||
| + | pass in on $ext_if inet proto tcp from any to $gw2_ext port 14021 rdr-to 10.0.50.14 port 21 | ||
| + | # TCP port 14022 to port 22 (SSH) | ||
| + | pass in on $ext_if inet proto tcp from any to $gw2_ext port 14022 rdr-to 10.0.50.14 port 22 | ||
| + | # TCP port 14500-14600 to 14500-14600 (FTP Passive Mode) | ||
| + | pass in on $ext_if inet proto tcp from any to $gw2_ext port 14500:14600 rdr-to 10.0.50.14 | ||
| + | ## | ||
| + | |||
| + | |||
| + | ## VM Debian VOIP / 10.0.50.15 | ||
| + | # | ||
| + | # TCP port 15022 to port 22 (SSH) | ||
| + | pass in on $ext_if inet proto tcp from any to $gw2_ext port 15022 rdr-to 10.0.50.15 port 22 | ||
| + | ## | ||
| + | |||
| + | ## VM Debian Radius / 10.0.50.16 | ||
| + | # | ||
| + | # TCP port 16022 to port 22 (SSH) | ||
| + | pass in on $ext_if inet proto tcp from any to $gw2_ext port 16022 rdr-to 10.0.50.16 port 22 | ||
| + | # TCP+UDP port 1812-1813 to port 1812-1813 (RADIUS) | ||
| + | pass in on $ext_if inet proto tcp from 192.42.117.138 to $gw2_ext port 1812:1813 rdr-to 10.0.50.16 | ||
| + | pass in on $ext_if inet proto udp from 192.42.117.138 to $gw2_ext port 1812:1813 rdr-to 10.0.50.16 | ||
| + | ## | ||
| + | |||
| + | ## VM Mailcleaner / 10.0.50.18 | ||
| + | # | ||
| + | # TCP port 18022 to port 22 (SSH) | ||
| + | pass in on $ext_if inet proto tcp from any to $gw2_ext port 18022 rdr-to 10.0.50.18 port 22 | ||
| + | # TCP port 18443 to port 443(VPN TUNNEL TCP) | ||
| + | pass in on $ext_if inet proto tcp from any to $gw2_ext port 18443 rdr-to 10.0.50.18 port 443 | ||
| + | ## | ||
| + | |||
| + | |||
| + | |||
| + | ### SHELL RELATED ### | ||
| + | # For Shell accounts (10.0.57.xxx / VLAN57) use port 22xx to redirect to 10.0.57.xx | ||
| + | pass in on $ext_if inet proto tcp from any to $gw2_ext port 2231 rdr-to 10.0.57.31 port 22 | ||
| + | pass in on $ext_if inet proto tcp from any to $gw2_ext port 2232 rdr-to 10.0.57.32 port 22 | ||
| + | pass in on $ext_if inet proto tcp from any to $gw2_ext port 2233 rdr-to 10.0.57.33 port 22 | ||
| + | pass in on $ext_if inet proto tcp from any to $gw2_ext port 2234 rdr-to 10.0.57.34 port 22 | ||
| + | pass in on $ext_if inet proto tcp from any to $gw2_ext port 2235 rdr-to 10.0.57.35 port 22 | ||
| + | pass in on $ext_if inet proto tcp from any to $gw2_ext port 2236 rdr-to 10.0.57.36 port 22 | ||
| + | |||
| + | ###################### | ||
| + | ### Pass OUT rules ### | ||
| + | ###################### | ||
| + | |||
| + | # Allow outgoing traffic on WAN from any | ||
| + | pass out on $ext_if from any | ||
| + | |||
| + | # Allow outgoing traffic on LAN from LAN | ||
| + | pass out on $int_if from $int_if | ||
| + | |||
| + | # Allow outgoing traffic on VLAN from same VLAN (Block InterVLAN) | ||
| + | pass out on vlan10 from vlan10:network | ||
| + | pass out on vlan11 from vlan11:network | ||
| + | pass out on vlan12 from vlan12:network | ||
| + | pass out on vlan13 from vlan13:network | ||
| + | pass out on vlan14 from vlan14:network | ||
| + | pass out on vlan15 from vlan15:network | ||
| + | pass out on vlan16 from vlan16:network | ||
| + | pass out on vlan17 from vlan17:network | ||
| + | pass out on vlan18 from vlan18:network | ||
| + | pass out on vlan19 from vlan19:network | ||
| + | pass out on vlan20 from vlan20:network | ||
| + | pass out on vlan21 from vlan21:network | ||
| + | pass out on vlan22 from vlan22:network | ||
| + | pass out on vlan23 from vlan23:network | ||
| + | pass out on vlan24 from vlan24:network | ||
| + | pass out on vlan25 from vlan25:network | ||
| + | pass out on vlan26 from vlan26:network | ||
| + | pass out on vlan27 from vlan27:network | ||
| + | pass out on vlan28 from vlan28:network | ||
| + | pass out on vlan29 from vlan29:network | ||
| + | pass out on vlan30 from vlan30:network | ||
| + | pass out on vlan31 from vlan31:network | ||
| + | pass out on vlan32 from vlan32:network | ||
| + | # pass out on vlan33 from vlan33:network (ALLDAY) | ||
| + | pass out on vlan34 from vlan34:network | ||
| + | pass out on vlan35 from vlan35:network | ||
| + | pass out on vlan36 from vlan36:network | ||
| + | pass out on vlan37 from vlan37:network | ||
| + | pass out on vlan38 from vlan38:network | ||
| + | pass out on vlan39 from vlan39:network | ||
| + | pass out on vlan40 from vlan40:network | ||
| + | pass out on vlan41 from vlan41:network | ||
| + | pass out on vlan42 from vlan42:network | ||
| + | pass out on vlan43 from vlan43:network | ||
| + | pass out on vlan44 from vlan44:network | ||
| + | pass out on vlan45 from vlan45:network | ||
| + | pass out on vlan46 from vlan46:network | ||
| + | pass out on vlan47 from vlan47:network | ||
| + | pass out on vlan48 from vlan48:network | ||
| + | pass out on vlan49 from vlan49:network | ||
| + | pass out on vlan50 from vlan50:network | ||
| + | pass out on vlan51 from vlan51:network | ||
| + | pass out on vlan52 from vlan52:network | ||
| + | pass out on vlan53 from vlan53:network | ||
| + | pass out on vlan54 from vlan54:network | ||
| + | pass out on vlan55 from vlan55:network | ||
| + | pass out on vlan56 from vlan56:network | ||
| + | pass out on vlan57 from vlan57:network | ||
| + | |||
| + | # Allow outgoing traffic from/to VLAN 30, VLANS 50-55, VLAN 57 | ||
| + | pass out on vlan30 from vlan30:network | ||
| + | pass out on vlan30 from vlan50:network | ||
| + | pass out on vlan30 from vlan51:network | ||
| + | pass out on vlan30 from vlan52:network | ||
| + | pass out on vlan30 from vlan53:network | ||
| + | pass out on vlan30 from vlan54:network | ||
| + | pass out on vlan30 from vlan55:network | ||
| + | pass out on vlan30 from vlan57:network | ||
| + | |||
| + | pass out on vlan50 from vlan30:network | ||
| + | pass out on vlan50 from vlan50:network | ||
| + | pass out on vlan50 from vlan51:network | ||
| + | pass out on vlan50 from vlan52:network | ||
| + | pass out on vlan50 from vlan53:network | ||
| + | pass out on vlan50 from vlan54:network | ||
| + | pass out on vlan50 from vlan55:network | ||
| + | pass out on vlan50 from vlan57:network | ||
| − | + | pass out on vlan51 from vlan30:network | |
| − | pass | + | pass out on vlan51 from vlan50:network |
| + | pass out on vlan51 from vlan51:network | ||
| + | pass out on vlan51 from vlan52:network | ||
| + | pass out on vlan51 from vlan53:network | ||
| + | pass out on vlan51 from vlan54:network | ||
| + | pass out on vlan51 from vlan55:network | ||
| + | pass out on vlan51 from vlan57:network | ||
| + | pass out on vlan52 from vlan30:network | ||
| + | pass out on vlan52 from vlan50:network | ||
| + | pass out on vlan52 from vlan51:network | ||
| + | pass out on vlan52 from vlan52:network | ||
| + | pass out on vlan52 from vlan53:network | ||
| + | pass out on vlan52 from vlan54:network | ||
| + | pass out on vlan52 from vlan55:network | ||
| + | pass out on vlan52 from vlan57:network | ||
| + | pass out on vlan53 from vlan30:network | ||
| + | pass out on vlan53 from vlan50:network | ||
| + | pass out on vlan53 from vlan51:network | ||
| + | pass out on vlan53 from vlan52:network | ||
| + | pass out on vlan53 from vlan53:network | ||
| + | pass out on vlan53 from vlan54:network | ||
| + | pass out on vlan53 from vlan55:network | ||
| + | pass out on vlan53 from vlan57:network | ||
| − | + | pass out on vlan54 from vlan30:network | |
| + | pass out on vlan54 from vlan50:network | ||
| + | pass out on vlan54 from vlan51:network | ||
| + | pass out on vlan54 from vlan52:network | ||
| + | pass out on vlan54 from vlan53:network | ||
| + | pass out on vlan54 from vlan54:network | ||
| + | pass out on vlan54 from vlan55:network | ||
| + | pass out on vlan54 from vlan57:network | ||
| − | + | pass out on vlan55 from vlan30:network | |
| − | pass out on | + | pass out on vlan55 from vlan50:network |
| + | pass out on vlan55 from vlan51:network | ||
| + | pass out on vlan55 from vlan52:network | ||
| + | pass out on vlan55 from vlan53:network | ||
| + | pass out on vlan55 from vlan54:network | ||
| + | pass out on vlan55 from vlan55:network | ||
| + | pass out on vlan55 from vlan57:network | ||
| − | + | pass out on vlan57 from vlan30:network | |
| − | + | pass out on vlan57 from vlan50:network | |
| − | pass out on | + | pass out on vlan57 from vlan51:network |
| + | pass out on vlan57 from vlan52:network | ||
| + | pass out on vlan57 from vlan53:network | ||
| + | pass out on vlan57 from vlan54:network | ||
| + | pass out on vlan57 from vlan55:network | ||
| + | pass out on vlan57 from vlan57:network | ||
| − | |||
| − | |||
| − | |||
| − | |||
</pre> | </pre> | ||
Revision as of 00:58, 24 December 2011
| Project: OpenBSD Firewall / PF | |
|---|---|
| Featured: | |
| State | Active |
| Members | Antarez, Vicarious, PsychiC |
| GitHub | No GitHub project defined. Add your project here. |
| Description | building a gateway on openbsd |
| Picture | |
| No project picture! Fill in form Picture or Upload a jpeg here | |
In this talk we will be building a highly available firewalling gateway. It is not a lecture or talk, it's a hands-on workshop.
how to play:
Dont play with it, it's in operation now :)
Rulesdump Date 24-December-2011
# PF Rules ACKspace gateway 2
############################
### Macros / Definitions ###
############################
## Interfaces ##
# WAN interface
ext_if = "fxp0"
# LAN interface
int_if = "fxp1"
# VLAN interfaces (ALLDAY / VLAN33 Excluded)
vlan_if = "{ \
vlan10 vlan11 vlan12 vlan13 vlan14 vlan15 vlan16 vlan17 vlan18 vlan19 \
vlan20 vlan21 vlan22 vlan23 vlan24 vlan25 vlan26 vlan27 vlan28 vlan29 \
vlan30 vlan31 vlan32 vlan34 vlan35 vlan36 vlan37 vlan38 vlan39 \
vlan40 vlan41 vlan42 vlan43 vlan44 vlan45 vlan46 vlan47 vlan48 vlan49 \
vlan50 vlan51 vlan52 vlan53 vlan54 vlan55 vlan56 vlan57}"
## IP adresses ##
# WAN adress
gw2_ext = "213.125.94.212"
# Local adress ranges
private_networks = "{ 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 255.255.255.255/32, 127.0.0.0/8 }"
########################
### Default Policies ###
########################
# Skip any filtering if it is on interface localhost
set skip on lo
# Provide nice blocked messages
set block-policy return
# Block all unless a allow rule exists
block all
#######################
### Cleanup Packets ###
#######################
# Reassemble packets
set reassemble yes
# Scrub packets
match in all scrub (max-mss 1472)
match out all scrub (random-id)
# Antispoof
antispoof quick for { $ext_if } inet
# Block bogus packets
block in quick on $ext_if from no-route to any
block in quick on $ext_if from any to 255.255.255.255
block in quick on $ext_if from any to $private_networks
block in quick on $ext_if from $private_networks to any
block return out quick on $ext_if from any to $private_networks
############
### NAT ####
############
# NAT all interfaces to WAN
match out on $ext_if from any to any nat-to $gw2_ext
#####################
### SPECIAL rules ###
#####################
# Help with Active and Passive FTP
anchor "ftp-proxy/*"
pass in quick on $int_if proto tcp from any to port 21 rdr-to 127.0.0.1 port 8021
######################
### Pass IN rules ###
######################
# Allow incoming SSH and ICMP on WAN interface
pass in on $ext_if inet proto tcp from any to $gw2_ext port 22
pass in on $ext_if inet proto icmp from any to $gw2_ext icmp-type echoreq
# Allow incoming ALL on LAN interfaces
pass in on $int_if
# Allow incoming ALL on VLAN Interfaces
pass in on $vlan_if
######################
### Redirect rules ###
######################
## ACKspace CAM 2 / 10.0.30.253
#
# TCP port 25380 to port 80 (HTTP)
pass in on $ext_if inet proto tcp from any to $gw2_ext port 25380 rdr-to 10.0.30.253 port 80
##
### VM RELATED ###
# For usage with the VM's (10.0.50.xxx / VLAN50) use the first two digits to indicate the intenal IP
# and the last three to indicate the port # Example : 10.0.50.33 port 88 becomes WAN port 33088
# Unless its a specific service, like gameports etc.
## VMware Host 1 / 10.0.50.1
#
# Use TEAMVIEWER to ACKspace vSphere Client
#
# TCP port 01443 (vSphere Client)
# pass in on $ext_if inet proto tcp from any to $gw2_ext port 01443 rdr-to 10.0.50.1 port 443
#
# TCP port 00902 (vSphere VM console)
# pass in on $ext_if inet proto tcp from any to $gw2_ext port 00902 rdr-to 10.0.50.1 port 902
##
## VMware Host 2 / 10.0.50.2
# Use TEAMVIEWER to ACKspace vSphere Client
#
# TCP port 01443 (vSphere Client)
# pass in on $ext_if inet proto tcp from any to $gw2_ext port 01443 rdr-to 10.0.50.2 port 443
#
# TCP port 00902 (vSphere VM console)
# pass in on $ext_if inet proto tcp from any to $gw2_ext port 00902 rdr-to 10.0.50.2 port 902
##
## VM Debian Q2 / 10.0.50.11
#
# TCP port 110022 to port 22 (SSH)
pass in on $ext_if inet proto tcp from any to $gw2_ext port 11022 rdr-to 10.0.50.11 port 22
#
# TCP+UDP portrange 27910-27915 (Quake2)
pass in on $ext_if inet proto tcp from any to $gw2_ext port 27910:27915 rdr-to 10.0.50.11
pass in on $ext_if inet proto udp from any to $gw2_ext port 27910:27915 rdr-to 10.0.50.11
# TCP port 11080 (Webserver)
pass in on $ext_if inet proto tcp from any to $gw2_ext port 11080 rdr-to 10.0.50.11 port 80
##
## VM Debian OpenVPN / 10.0.50.13
#
# TCP port 13022 to port 22 (SSH)
pass in on $ext_if inet proto tcp from any to $gw2_ext port 13022 rdr-to 10.0.50.13 port 22
# TCP port 13443 to port 443(VPN TUNNEL TCP)
pass in on $ext_if inet proto tcp from any to $gw2_ext port 13443 rdr-to 10.0.50.13 port 443
# TCP port 443 (HTTPS / VPN TUNNEL TCP)
pass in on $ext_if inet proto tcp from any to $gw2_ext port 443 rdr-to 10.0.50.13
# UDP port 1194 (OpenVPN / VPN TUNNEL UDP)
pass in on $ext_if inet proto udp from any to $gw2_ext port 1194 rdr-to 10.0.50.13
##
## VM Debian FTP / 10.0.50.14
#
# TCP port 14021 to port 21 (FTP)
pass in on $ext_if inet proto tcp from any to $gw2_ext port 14021 rdr-to 10.0.50.14 port 21
# TCP port 14022 to port 22 (SSH)
pass in on $ext_if inet proto tcp from any to $gw2_ext port 14022 rdr-to 10.0.50.14 port 22
# TCP port 14500-14600 to 14500-14600 (FTP Passive Mode)
pass in on $ext_if inet proto tcp from any to $gw2_ext port 14500:14600 rdr-to 10.0.50.14
##
## VM Debian VOIP / 10.0.50.15
#
# TCP port 15022 to port 22 (SSH)
pass in on $ext_if inet proto tcp from any to $gw2_ext port 15022 rdr-to 10.0.50.15 port 22
##
## VM Debian Radius / 10.0.50.16
#
# TCP port 16022 to port 22 (SSH)
pass in on $ext_if inet proto tcp from any to $gw2_ext port 16022 rdr-to 10.0.50.16 port 22
# TCP+UDP port 1812-1813 to port 1812-1813 (RADIUS)
pass in on $ext_if inet proto tcp from 192.42.117.138 to $gw2_ext port 1812:1813 rdr-to 10.0.50.16
pass in on $ext_if inet proto udp from 192.42.117.138 to $gw2_ext port 1812:1813 rdr-to 10.0.50.16
##
## VM Mailcleaner / 10.0.50.18
#
# TCP port 18022 to port 22 (SSH)
pass in on $ext_if inet proto tcp from any to $gw2_ext port 18022 rdr-to 10.0.50.18 port 22
# TCP port 18443 to port 443(VPN TUNNEL TCP)
pass in on $ext_if inet proto tcp from any to $gw2_ext port 18443 rdr-to 10.0.50.18 port 443
##
### SHELL RELATED ###
# For Shell accounts (10.0.57.xxx / VLAN57) use port 22xx to redirect to 10.0.57.xx
pass in on $ext_if inet proto tcp from any to $gw2_ext port 2231 rdr-to 10.0.57.31 port 22
pass in on $ext_if inet proto tcp from any to $gw2_ext port 2232 rdr-to 10.0.57.32 port 22
pass in on $ext_if inet proto tcp from any to $gw2_ext port 2233 rdr-to 10.0.57.33 port 22
pass in on $ext_if inet proto tcp from any to $gw2_ext port 2234 rdr-to 10.0.57.34 port 22
pass in on $ext_if inet proto tcp from any to $gw2_ext port 2235 rdr-to 10.0.57.35 port 22
pass in on $ext_if inet proto tcp from any to $gw2_ext port 2236 rdr-to 10.0.57.36 port 22
######################
### Pass OUT rules ###
######################
# Allow outgoing traffic on WAN from any
pass out on $ext_if from any
# Allow outgoing traffic on LAN from LAN
pass out on $int_if from $int_if
# Allow outgoing traffic on VLAN from same VLAN (Block InterVLAN)
pass out on vlan10 from vlan10:network
pass out on vlan11 from vlan11:network
pass out on vlan12 from vlan12:network
pass out on vlan13 from vlan13:network
pass out on vlan14 from vlan14:network
pass out on vlan15 from vlan15:network
pass out on vlan16 from vlan16:network
pass out on vlan17 from vlan17:network
pass out on vlan18 from vlan18:network
pass out on vlan19 from vlan19:network
pass out on vlan20 from vlan20:network
pass out on vlan21 from vlan21:network
pass out on vlan22 from vlan22:network
pass out on vlan23 from vlan23:network
pass out on vlan24 from vlan24:network
pass out on vlan25 from vlan25:network
pass out on vlan26 from vlan26:network
pass out on vlan27 from vlan27:network
pass out on vlan28 from vlan28:network
pass out on vlan29 from vlan29:network
pass out on vlan30 from vlan30:network
pass out on vlan31 from vlan31:network
pass out on vlan32 from vlan32:network
# pass out on vlan33 from vlan33:network (ALLDAY)
pass out on vlan34 from vlan34:network
pass out on vlan35 from vlan35:network
pass out on vlan36 from vlan36:network
pass out on vlan37 from vlan37:network
pass out on vlan38 from vlan38:network
pass out on vlan39 from vlan39:network
pass out on vlan40 from vlan40:network
pass out on vlan41 from vlan41:network
pass out on vlan42 from vlan42:network
pass out on vlan43 from vlan43:network
pass out on vlan44 from vlan44:network
pass out on vlan45 from vlan45:network
pass out on vlan46 from vlan46:network
pass out on vlan47 from vlan47:network
pass out on vlan48 from vlan48:network
pass out on vlan49 from vlan49:network
pass out on vlan50 from vlan50:network
pass out on vlan51 from vlan51:network
pass out on vlan52 from vlan52:network
pass out on vlan53 from vlan53:network
pass out on vlan54 from vlan54:network
pass out on vlan55 from vlan55:network
pass out on vlan56 from vlan56:network
pass out on vlan57 from vlan57:network
# Allow outgoing traffic from/to VLAN 30, VLANS 50-55, VLAN 57
pass out on vlan30 from vlan30:network
pass out on vlan30 from vlan50:network
pass out on vlan30 from vlan51:network
pass out on vlan30 from vlan52:network
pass out on vlan30 from vlan53:network
pass out on vlan30 from vlan54:network
pass out on vlan30 from vlan55:network
pass out on vlan30 from vlan57:network
pass out on vlan50 from vlan30:network
pass out on vlan50 from vlan50:network
pass out on vlan50 from vlan51:network
pass out on vlan50 from vlan52:network
pass out on vlan50 from vlan53:network
pass out on vlan50 from vlan54:network
pass out on vlan50 from vlan55:network
pass out on vlan50 from vlan57:network
pass out on vlan51 from vlan30:network
pass out on vlan51 from vlan50:network
pass out on vlan51 from vlan51:network
pass out on vlan51 from vlan52:network
pass out on vlan51 from vlan53:network
pass out on vlan51 from vlan54:network
pass out on vlan51 from vlan55:network
pass out on vlan51 from vlan57:network
pass out on vlan52 from vlan30:network
pass out on vlan52 from vlan50:network
pass out on vlan52 from vlan51:network
pass out on vlan52 from vlan52:network
pass out on vlan52 from vlan53:network
pass out on vlan52 from vlan54:network
pass out on vlan52 from vlan55:network
pass out on vlan52 from vlan57:network
pass out on vlan53 from vlan30:network
pass out on vlan53 from vlan50:network
pass out on vlan53 from vlan51:network
pass out on vlan53 from vlan52:network
pass out on vlan53 from vlan53:network
pass out on vlan53 from vlan54:network
pass out on vlan53 from vlan55:network
pass out on vlan53 from vlan57:network
pass out on vlan54 from vlan30:network
pass out on vlan54 from vlan50:network
pass out on vlan54 from vlan51:network
pass out on vlan54 from vlan52:network
pass out on vlan54 from vlan53:network
pass out on vlan54 from vlan54:network
pass out on vlan54 from vlan55:network
pass out on vlan54 from vlan57:network
pass out on vlan55 from vlan30:network
pass out on vlan55 from vlan50:network
pass out on vlan55 from vlan51:network
pass out on vlan55 from vlan52:network
pass out on vlan55 from vlan53:network
pass out on vlan55 from vlan54:network
pass out on vlan55 from vlan55:network
pass out on vlan55 from vlan57:network
pass out on vlan57 from vlan30:network
pass out on vlan57 from vlan50:network
pass out on vlan57 from vlan51:network
pass out on vlan57 from vlan52:network
pass out on vlan57 from vlan53:network
pass out on vlan57 from vlan54:network
pass out on vlan57 from vlan55:network
pass out on vlan57 from vlan57:network
