pf firewall squid transparent + port forward rdp

Posted: May 11, 2010 in Freebsd

I have install Freebsd 8.0 to act as a firewall / gateways for my local lan.

I have googling about 1 days to made working pf.conf

(I only learn freebsd from Uncle G and youtube hahaha :p about a few month ago)

This is my working pf.conf

#######################################################################

### macros
# internal and external interfaces (run ‘ifconfig’ to find interfaces)
int_if = “le1”
ext_if = “le0”

# Ports we want to allow access to from the outside world on our local
# system (ext_if)
tcp_services = “{ 22, 80 , 3389}”

# ping requests
icmp_types = “echoreq”

# Private networks, we are going to block incoming traffic from them
priv_nets = “{ 127.0.0.0/8, 192.168.0.0/16 }”

### options
set block-policy return
set loginterface $ext_if
set skip on lo0

scrub in all

### nat/rdr
# NAT traffic from internal network to external network through external
# interface
nat on $ext_if from $int_if:network to any -> ($ext_if)
nat on $ext_if from !($ext_if) -> ($ext_if:0)

# redirect traffic to proxy on localhost:8080
rdr on $int_if proto tcp from any to any port 80 -> 127.0.0.1 port 8880
rdr pass on $ext_if inet proto tcp from any to $ext_if port 3389 -> 192.168.1.35

pass in on $int_if inet proto tcp from any to 12.0.0.1 port 8880 keep state
pass out on $ext_if inet proto tcp from any to any port www keep state
pass out on $int_if inet proto tcp from any to 192.168.1.35 port 3389

### filter rules
block all

# block incoming traffic from private networks on external interface
block drop in quick on $ext_if from $priv_nets to any

# block outgoing traffic to private networks on external interface

block drop out quick on $ext_if from any to $priv_nets

#accept ssh incoming

pass in log quick on $ext_if proto tcp from any to $ext_if port 22 keep state

# allow in ping replies
#pass in inet proto icmp all icmp-type $icmp_types keep state

# allow all traffic from internal network to internal interface
pass in  on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state

# allow all traffic out via external interface
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state

#######################################################################

i will update how to install squid + dansguardian + clamav + pf…

give me some time. :p

Comments
  1. jenny says:

    I love your blog lots of useful information. I’ve added it to my favorite bookmarks and subscribed in a reader.

    All these issues are important, and that’s why I just started blogging a while ago and it feels great.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s