-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathpf.conf
22 lines (22 loc) · 1.01 KB
/
pf.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
int_if="{ re1 }"
broken="224.0.0.22 127.0.0.0/8 192.168.0.0/16 172.16.0.0/12 \
10.0.0.0/8 169.254.0.0/16 192.0.2.0/24 \
192.0.2.0/24, 198.51.100.0/24, 203.0.113.0/24, \
169.254.0.0/16 0.0.0.0/8 240.0.0.0/4 255.255.255.255/32"
set block-policy drop
set loginterface egress
set skip on lo0
match in all scrub (no-df random-id max-mss 1440)
match out on egress inet from !(egress:network) to any nat-to (egress:0)
antispoof quick for (egress)
block in quick on egress from { $broken no-route urpf-failed } to any
block in quick inet6 all
block out quick inet6 all
block out quick log on egress proto { tcp udp } from any to any port 53
block out quick log on egress from any to { no-route $broken }
block in all
pass out quick inet keep state
#pass in on egress inet proto tcp to (egress) port 222 rdr-to 192.168.1.2
pass in on egress inet proto tcp from any to (egress) port 22 flags S/SA synproxy state
pass in on $int_if inet
pass in on $int_if proto { tcp udp } from any to ! 10.1.1.1 port 53 rdr-to 10.1.1.1