66 lines
1.6 KiB
Text
66 lines
1.6 KiB
Text
# interfaces
|
|
int_if = "vio0"
|
|
ext_if = "vio1"
|
|
|
|
# networks
|
|
int_net = "(" $int_if:network ")"
|
|
ext_net = "(" $ext_if:network ")"
|
|
|
|
# my addrss
|
|
int_me = "(" $int_if:0 ")"
|
|
ext_me = "(" $ext_if:0 ")"
|
|
|
|
# options
|
|
set block-policy return
|
|
set loginterface $int_if
|
|
set skip on lo0
|
|
|
|
# assemble fragmented packets
|
|
match in all scrub (no-df)
|
|
|
|
# ftp proxy
|
|
anchor "ftp-proxy/*"
|
|
|
|
# nat outgoing traffic
|
|
match out on $ext_if inet from $int_net nat-to $ext_me
|
|
|
|
# allow carp traffic
|
|
pass out quick on $int_if proto carp
|
|
|
|
# allow icmp
|
|
pass quick inet proto icmp
|
|
pass quick inet6 proto icmp6
|
|
|
|
# allow dhcpv6 to myself
|
|
pass in quick inet6 proto udp from any to $ext_me port dhcpv6-client
|
|
|
|
# antispoof at this point
|
|
antispoof for lo0
|
|
antispoof for vio0
|
|
antispoof for vio1
|
|
|
|
# admin connection (internal, fsol and arc office)
|
|
pass in quick on $int_if proto tcp from $int_net to self port ssh
|
|
pass in quick on $ext_if proto tcp from 37.35.86.64/29 to self port ssh
|
|
pass in quick on $ext_if proto tcp from 37.16.96.144/28 to self port ssh
|
|
pass in quick on $ext_if proto tcp from 81.175.155.142/32 to self port ssh
|
|
|
|
# allow dns queries from internal net
|
|
pass in quick on $int_if proto { tcp, udp } from $int_net to self port domain
|
|
|
|
# block rest of packets coming to me
|
|
block in quick from any to self
|
|
|
|
# allow communication from internal to world
|
|
pass in quick on $int_if from $int_net to !$int_net
|
|
|
|
# allow myself to communicate outside (both routes)
|
|
pass out quick on $ext_if from self to any
|
|
pass out quick on $int_if from self to any
|
|
|
|
# allow traffic from outside
|
|
pass out quick on $int_if from any to $int_net
|
|
|
|
# drop rest
|
|
block in quick log all
|
|
block out quick log all
|