61 lines
1.5 KiB
Text
61 lines
1.5 KiB
Text
# interfaces
|
|
int_if = "vio0"
|
|
sync_if = "vio1"
|
|
ext_if = "vio2"
|
|
dmz_if = "vio3"
|
|
fsol_if = "tap0"
|
|
|
|
# networks
|
|
int_net = "(" $int_if:network ")"
|
|
ext_net = "(" $ext_if:network ")"
|
|
dmz_net = "(" carp145:network ")"
|
|
|
|
# my addrss
|
|
int_me = "(" $int_if:0 ")"
|
|
ext_me = "(" $ext_if:0 ")"
|
|
|
|
# options
|
|
set block-policy return
|
|
set loginterface $int_if
|
|
set skip on lo0
|
|
|
|
# assemble fragmented packets
|
|
match in all scrub (no-df)
|
|
|
|
# allow icmp
|
|
pass quick inet proto icmp
|
|
pass quick inet6 proto icmp6
|
|
|
|
# antispoof at this point
|
|
antispoof for lo0
|
|
antispoof for vio0
|
|
|
|
# admin connection and munin (internal)
|
|
pass in quick on $int_if proto tcp from $int_net to self port ssh keep state (no-sync)
|
|
pass in quick on $int_if proto tcp from $int_net to self port 4949 keep state (no-sync)
|
|
|
|
# internal network
|
|
block in quick from any to self
|
|
pass out quick on $int_if from $int_me to $int_net keep state (no-sync)
|
|
|
|
# dmz network
|
|
pass quick on $dmz_if proto carp
|
|
pass in quick on $dmz_if inet from $dmz_net to any
|
|
pass out quick on $dmz_if inet from any to $dmz_net
|
|
|
|
# allow myself to communicate dna network but don't use pfsync
|
|
pass out quick on $ext_if from self to any keep state (no-sync)
|
|
|
|
# pfsync interface
|
|
pass quick on $sync_if proto pfsync keep state (no-sync)
|
|
|
|
# fsol (router) network
|
|
pass in quick on $fsol_if proto ospf from any to any
|
|
pass out quick on $fsol_if proto ospf from self to any
|
|
pass in quick on $fsol_if inet from any to $dmz_net
|
|
pass out quick on $fsol_if inet from $dmz_net to any
|
|
pass out quick on $fsol_if inet from self to any
|
|
|
|
# drop rest
|
|
block in quick log all
|
|
block out quick log all
|