I am using Trihexagonals pf.conf ( https://forums.FreeBSD.org/threads/firewall-for-home-user.63277/post-365628) but I want to forward ports through it while keeping his bulletproof settings. Does my conf look okay? I am not sure if I am using rdr correctly.
Thanks
Code:
### Macro name for external interface
ext_if = "wlan0"
netbios_tcp = "{ 22, 23, 25, 80, 110, 111, 123, 512, 513, 514, 515, 6000, 6010 }"
netbios_udp = "{ 123, 512, 513, 514, 515, 5353, 6000, 6010 }"
### Macros to define the set of TCP and UDP ports to open.
### Add additional ports or ranges separated by commas.
### UDP 60000-60010 is mosh control http://mosh.mit.edu/
myservices = "{ 54304, 54305 }"
#icmp_types = "echoreq"
mycomp="127.0.0.1"
### Modulate the initial sequence number of TCP packets.
### Broken operating systems sometimes don't randomize this number,
### making it guessable.
tcp_state="flags S/SA keep state"
udp_state="keep state"
### Don't send rejections. Just drop.
set block-policy drop
### Reassemble fragmented packets
scrub in on $ext_if all fragment reassemble
rdr pass log on $ext_if proto { tcp } from any to any port $myservices -> $mycomp
#rdr pass log on $ext_if proto { tcp, udp } from any to any port $myservices -> $mycomp
### Default deny everything
block log all
### Pass loopback
set skip on lo0
### Block spooks
antispoof for lo0
antispoof for $ext_if inet
block in from no-route to any
block in from urpf-failed to any
block in quick on $ext_if from any to 255.255.255.255
block in log quick on $ext_if from { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 255.255.255.255/32 } to any
### Block all IPv6
block in quick inet6 all
block out quick inet6 all
### Block to and from port 0
block quick proto { tcp, udp } from any port = 0 to any
block quick proto { tcp, udp } from any to any port = 0
### Block specific ports
block in quick log on $ext_if proto tcp from any to any port $netbios_tcp
block in quick log on $ext_if proto udp from any to any port $netbios_udp
### Keep and modulate state of outbound tcp, udp and icmp traffic
pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state
### Drop broadcast requests quietly.
block in quick on $ext_if from any to 255.255.255.255
Thanks