efe0ef7b |
1 | # $OpenBSD: pf.conf,v 1.54 2014/08/23 05:49:42 deraadt Exp $ |
2 | # |
3 | # See pf.conf(5) and /etc/examples/pf.conf |
4 | |
5 | #set skip on lo |
6 | |
7 | #block return # block stateless traffic |
8 | #pass # establish keep-state |
9 | |
10 | # By default, do not permit remote connections to X11 |
11 | #block return in on ! lo0 proto tcp to port 6000:6010 |
12 | |
13 | int_if="re1" |
14 | table <martians> { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 \ |
15 | 172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 224.0.0.0/3 \ |
16 | 192.168.0.0/16 198.18.0.0/15 198.51.100.0/24 \ |
17 | 203.0.113.0/24 } |
18 | set block-policy drop |
19 | set loginterface egress |
20 | set skip on lo0 |
21 | match in all scrub (no-df random-id max-mss 1440) |
22 | match out on egress inet from !(egress:network) to any nat-to (egress:0) |
23 | block in quick on egress from <martians> to any |
24 | block return out quick on egress from any to <martians> |
25 | block all |
26 | pass out quick inet |
27 | pass in on $int_if inet |
28 | pass in on egress inet proto tcp from any to (egress) port 22 |
29 | pass in on egress inet proto tcp from any to (egress) port { 80 443 } rdr-to 192.168.5.1 |
30 | |