rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8<VLAN_MTU>
ether 00:1d:0f:ff:ae:15
inet 169.254.182.251 netmask 0xffffff00 broadcast 169.254.182.255
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
rl1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8<VLAN_MTU>
ether 00:1d:0f:ff:9d:cd
inet 192.168.2.2 netmask 0xffffff00 broadcast 192.168.2.255
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT> metric 0 mtu 1500
pfsync0: flags=0<> metric 0 mtu 1460
syncpeer: 224.0.0.240 maxupd: 128
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
inet6 ::1 prefixlen 128
inet 127.0.0.1 netmask 0xff000000
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33204
# macros
ext_if="rl1"
int_if="rl0"
lo_if="lo0"
# SAMBA 137,138,139,445
# SSH 22
# DNS 53
# RNDC 953
tcp_services="{ 22, 53, 113, 137, 138, 139, 445, 953 }"
icmp_types="echoreq"
# comp3="192.168.0.3"
# options
set block-policy return
set loginterface $ext_if
set skip on lo
# scrub
scrub in
# nat/rdr
nat on $ext_if from !($ext_if) -> ($ext_if:0)
# nat-anchor "ftp-proxy/*"
# rdr-anchor "ftp-proxy/*"
#rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
# rdr on $ext_if proto tcp from any to any port 80 -> $comp3
# filter rules
block in
pass out
anchor "ftp-proxy/*"
antispoof quick for { lo $int_if }
pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services
# pass in on $ext_if inet proto tcp from any to $comp3 port 80 \
# synproxy state
pass in inet proto icmp all icmp-type $icmp_types
pass quick on $int_if no state
tags[/url]. Oh, and I don't need a PM ..
#----------------------- PF RULES ----------------------
scrub in all fragment reassemble
block return in all
pass out all flags S/SA keep state
anchor "ftp-proxy/*" all
block drop in quick on ! lo inet6 from ::1 to any
block drop in quick on ! lo inet from 127.0.0.0/8 to any
block drop in quick on lo0 inet6 from fe80::1 to any
block drop in quick inet6 from ::1 to any
block drop in quick inet from 127.0.0.1 to any
block drop in quick on ! rl0 inet from 169.254.182.0/24 to any
block drop in quick inet from 169.254.182.251 to any
pass in on rl1 inet proto tcp from any to (rl1) port = ssh flags S/SA keep state
pass in on rl1 inet proto tcp from any to (rl1) port = domain flags S/SA keep state
pass in on rl1 inet proto tcp from any to (rl1) port = auth flags S/SA keep state
pass in on rl1 inet proto tcp from any to (rl1) port = netbios-ns flags S/SA keep state
pass in on rl1 inet proto tcp from any to (rl1) port = netbios-dgm flags S/SA keep state
pass in on rl1 inet proto tcp from any to (rl1) port = netbios-ssn flags S/SA keep state
pass in on rl1 inet proto tcp from any to (rl1) port = microsoft-ds flags S/SA keep state
pass in on rl1 inet proto tcp from any to (rl1) port = rndc flags S/SA keep state
pass in inet proto icmp all icmp-type echoreq keep state
pass quick on rl0 all no state
#----------------------- NAT ----------------------
nat on rl1 from ! (rl1) to any -> (rl1:0)
DutchDaemon said:You'd expect a complaint from either pfctl or ifconfig for that ..