Now you can all laugh at me!
After fixing this one, and getting everything working on my second attempt
from scratch I forgot to put 'block in all' so if you portscanned me just
an hour ago I had EVERYTHING open. I used nmap on myself from my virtual
private server. Oh shame.
So I have a suggestion worth considering, if the line "block in all" does
not appear pfctl -nf should perhaps spit out a warning. Much like you've
done with your pretty compilers over there.
The third attempt sure is nice though...
int_if="xl0"
ext_if="pppoe0"
mod_if="fxp0"
thenetwrk="10.0.0.0/8"
rothbard="10.0.0.10"
baal="10.0.0.2"
smass="10.0.0.1"
tcp_services = "{22}"
icmp_types = "echoreq"
ports_rothbard = "{17000,17001,17002,17003,17004,17005,2322}"
ports_smass = "{17100,17101,17102,17103,17104,17105,2222}"
set block-policy return #This might perform better as drop.
set loginterface $ext_if
set skip on lo
set skip on $mod_if #lets anything chat with the modem.
anchor "ftp-proxy/*"
pass in quick on $int_if inet proto tcp to any port ftp \
divert-to 127.0.0.1 port 8021
match out on $ext_if from $int_if:network to any nat-to ($ext_if)
block in
pass out quick
antispoof quick for { lo $int_if }
pass in on $ext_if inet proto tcp from any to (egress) \
port $tcp_services
pass in on egress inet proto tcp from any to (egress) \
port $ports_rothbard rdr-to $rothbard
pass in on egress inet proto tcp from any to (egress) \
port $ports_smass rdr-to $smass
pass in inet proto icmp all icmp-type $icmp_types
pass in on $int_if
--
www.johntate.org
