| 1 | # $OpenBSD: pf.conf,v 1.54 2014/08/23 05:49:42 deraadt Exp $ |
| 2 | # |
| 3 | # See pf.conf(5) and /etc/examples/pf.conf |
| 4 | |
| 5 | #set skip on lo |
| 6 | |
| 7 | #block return # block stateless traffic |
| 8 | #pass # establish keep-state |
| 9 | |
| 10 | # By default, do not permit remote connections to X11 |
| 11 | #block return in on ! lo0 proto tcp to port 6000:6010 |
| 12 | |
| 13 | int_if="re1" |
| 14 | table <martians> { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 \ |
| 15 | 172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 224.0.0.0/3 \ |
| 16 | 192.168.0.0/16 198.18.0.0/15 198.51.100.0/24 \ |
| 17 | 203.0.113.0/24 } |
| 18 | set block-policy drop |
| 19 | set loginterface egress |
| 20 | set skip on lo0 |
| 21 | match in all scrub (no-df random-id max-mss 1440) |
| 22 | match out on egress inet from !(egress:network) to any nat-to (egress:0) |
| 23 | block in quick on egress from <martians> to any |
| 24 | block return out quick on egress from any to <martians> |
| 25 | block all |
| 26 | pass out quick inet |
| 27 | pass in on $int_if inet |
| 28 | pass in on egress inet proto tcp from any to (egress) port 22 |
| 29 | pass in on egress inet proto tcp from any to (egress) port { 80 443 } rdr-to 192.168.5.1 |
| 30 | |