# # /etc/pf.conf firewall configuration. # 2005-10-23 # # Interfaces. # intif = "xl0" extif = "xl1" # Define our hosts and networks. # mars = "10.99.1.3" saturn = "10.99.1.20" jupiter = "10.99.1.21" neptune = "10.99.1.100" # Work VPN hosts. vpnhosts = "{ XX.XX.XX.2, YY.YY.YY.2, ZZ.ZZ.ZZ.2 }" # Vonage traffic ports (SIP and RTP). voipports = "{ 5060, 5061, 10000:20000 }" icmp_types = "echoreq" nonroutable = "{ 192.168.0.0/16, 127.0.0.0/8, 172.16.0.0/12, 10.0.0.0/8, 0.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 204.152.64.0/23, 224.0.0.0/3, 255.255.255.255/32 }" # Set some runtime options. # set block-policy return set loginterface $extif # Scrub packets. # scrub on $extif reassemble tcp no-df random-id # Fire up ALTQ. We'll prioritize empty TCP ACK traffic; VoIP traffic # next; and then everything else. # altq on $extif priq bandwidth 350Kb queue { std, voip, tcpack } queue std priq(red default) queue voip priority 10 priq(red) queue tcpack priority 15 priq(red) # Now, setup some NAT action for the internal network. # # First NAT is for the Cisco VPN client. nat on $extif inet proto { tcp, udp } from $intif:network port isakmp \ to any -> $extif:0 port isakmp nat on $extif from $intif:network to any -> $extif # Configure some port forwarding. # Note that all of our services on mars are being redirected for now. # I suppose they could be passed directly, but this minimizes the # reconfiguration necessary from separate router situation. # tcpservices = "{ 22, 25, 53, 80, 2401, 3389, 8080 }" udpservices = "{ 53 }" # SSH rdr on $extif proto tcp from any to any port 22 -> $mars # SMTP rdr on $extif proto tcp from any to any port 25 -> $mars # DNS rdr on $extif proto { tcp, udp } from any to any port 53 -> $mars # HTTP rdr on $extif proto tcp from any to any port 80 -> $mars # CVS rdr on $extif proto tcp from any to any port 2401 -> $mars # RDP rdr on $extif proto tcp from any to any port 3389 -> $saturn rdr on $extif proto tcp from any to any port 8080 -> $neptune # Filter rules. # block log all pass quick on lo0 all block drop in quick on $extif from $nonroutable to any block drop out quick on $extif from any to $nonroutable # Let in the services we offer. pass in on $extif inet proto tcp from any to $intif:network port \ $tcpservices flags S/SA keep state pass in on $extif inet proto udp from any to $intif:network port \ $udpservices keep state # Pings. pass in inet proto icmp all icmp-type $icmp_types keep state # Internal network. # # Note that in order for our special Vonage queue to work, we need to # tag incoming traffic so we can identify it on its way out. # pass in on $intif from $intif:network to any keep state pass in quick on $intif proto udp from $intif:network to any \ port $voipports tag VONAGE_OUT keep state pass out on $intif from any to $intif:network keep state # Now, let our traffic out. # 1. Prioritize empty TCP ACKs (and give other TCP traffic default priority). # 2. Let out all other eligible traffic (GRE for PPTP connections). # 3. Prioritize VoIP traffic on the specified UDP ports. # pass out on $extif inet proto tcp all modulate state flags S/SA \ queue(std, tcpack) pass out on $extif inet proto { udp, icmp, gre } all keep state pass out on $extif tagged VONAGE_OUT keep state queue(voip, tcpack) # Some Cisco IPSec VPN shiznit. pass out on $extif proto esp all pass in on $extif inet proto { tcp, udp } from $vpnhosts to \ $intif:network port isakmp keep state