# Declaration of variables
i="em1"
x="em0"
lan="192.168.2.0/24"
gw="127.0.0.1"
tcp_services = "{ https, ssh, smtp, domain, www, ntp, imap, 3128, ftp-proxy, 3128}"
udp_services = "{ domain, ntp}"
icmp_types = "{ echoreq, unreach }"
www="{ 80:83, 1080, 8080:8081, 8088, 11523}"
set block-policy return
set loginterface $x
set skip on lo
scrub in all
# required for ftp-proxy
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
#-----Network Address Translation------#
# Perform NAT for the entire LAN
nat on $x from $i to any -> ($x)
#-----Redirection----------------------#
# Redirect requests from LAN:80 to 127.0.0.1:3128 (squid)
# This allows clients to access the web using the proxy
rdr on $i inet proto tcp from $lan to any port $www -> $gw port 3128
# Redirect ftp traffic from LAN:22 to 127.0.0.1:8021 (ftp-proxy)
# This allows clients to access FTP sites
rdr on $i inet proto tcp from $lan to any port ftp -> $gw port ftp-proxy
# Redirect attempts from the INTERNET to connect to TCP:80 on the
# firewall. Legitimate attempts to access this port will be from users
# trying to access the network's web server. These connection attempts
# need to be redirected to WEBPC. Change the ip address that corresponds
# to your web server
# rdr on $x inet proto tcp from any to any port $www -> 192.168.2.23
#-----Filter Rules------#
# Default deny all
block in
anchor "ftp-proxy/*"
# Protection from spoofed address
antispoof quick for {lo $i}
# Allow incoming requests from the INTERNET destined to the firewall
# itself. Uncomment this to open ports from $tcp_services and
# $udp_services to be available for the INTERNET
# pass in on $x inet proto tcp from any to ($x) port $tcp_services flags S/SA keep state
# pass in on $x inet proto udp from any to ($x) port $udp_services flags S/SA keep state
# Having a an rdr rule which passes the web server traffic to
# 192.168.2.23, we MUST also pass this traffic through the firewall
# Uncomment this when you have enabled the web server to be available
# on the INTERNET
# pass in log on $x inet proto tcp from any to 192.168.2.23 port 80 flags S/SA synproxy state
# For added bit of security, we'll make use of TCP SYN Proxy to protect
# The Web server. ICMP traffic needs to be passed:
# This rule applies to all interfaces. Change it if you want to
# apply the rule to a particular interface
pass in inet proto icmp all icmp-type $icmp_types keep state
# Allow incoming ssh request from INTERNET:22 to Firewall
pass in log on $x inet proto tcp from any to $x port ssh keep state
# Allow incoming tcp_services from LAN to ANY
pass in log on $i inet proto tcp from $lan to any port $tcp_services keep state
# Allow incoming udp_services from LAN to ANY
pass in log on $i inet proto udp from $lan to any port $udp_services keep state
# Allow outgoing tcp_services from Firewall to INTERNET
# For some reason if i change from any to from $x the connection works
# but is very slow
pass out log on $x inet proto tcp from $x to any port $tcp_services keep state
# Allow outgoing udp_services from Firewall to INTERNET
pass out log on $x inet proto udp from $x to any port $udp_services keep state
# TCP, UDP, and ICMP traffic is permitted to exit the firewall towards
# the INTERNET. State information is kept so that the returning
# packets will be passed back in through the firewall. This passes ALL
# pass out keep state
pass in quick on $i inet proto tcp from $lan to any port 443 keep state
pass out quick on $x inet proto tcp from $lan to any port 443 keep state