Bientôt :).
# PF configuration script
##############
# I - MACROS #
##############
localhost = "127.0.0.1"
ext_if = "fxp0"
int_if = "tl1"
dmz_if = "tl0"
int_net = "192.168.2.0/24"
dmz_net = "192.168.1.0/24"
# arbeit is my main workstation
arbeit = "192.168.2.1"
#arbeit_services_tcp = "{3000, 4665}" # 3000 => Testing my Ruby on Rails applications from the outside world...
arbeit_services_tcp = "4665" # Hello HADOPI !
arbeit_services_udp = "4675"
# espoir is my home server
espoir = "192.168.1.1"
espoir_services_tcp = "{ ssh, smtp, www, https, submission, silc, pop3s }"
# espoir_services_udp = ""
# espoir_authorized_hosts = ""
# espoir_authorized_tcp_ports = ""
# espoir_authorized_udp_ports = ""
# origine is my gateway/firewall
origine_services_lan_tcp = "{ ssh, https, ntp, postgresql }"
origine_services_lan_udp = "ntp"
origine_services_dmz_tcp = "{ ntp, postgresql }"
origine_services_dmz_udp = "ntp"
# ftp.irisa.fr, ftp.eu.openbsd.org
#origine_authorized_hosts = "131.254.254.45, 130.237.164.232"
#origine_authorized_tcp_ports = "ftp-data, ftp, ntp"
#origine_authorized_udp_ports = "ntp"
icmp_types = "{ echoreq, unreach }"
###############
# II - TABLES #
###############
table <spamd-white> persist
#table <nospamd> persist file "/etc/mail/nospamd"
# Turning away the brutes.
table <bruteforce> persist
# Non-routable addresses from elsewhere...
table <martians> const { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
0.0.0.0/8, 240.0.0.0/4 }
#################
# III - OPTIONS #
#################
set block-policy return
set loginterface $ext_if
set debug misc
set skip on lo0
##############
# IV - SCRUB #
##############
scrub on $ext_if no-df random-id reassemble tcp fragment reassemble
################
# V - QUEUEING #
################
# Nothing. :)
####################
# VI - TRANSLATION #
####################
# NAT on LAN -> INET (but not on LAN -> DMZ)
nat on $ext_if tag LAN_INET_NAT tagged LAN_INET -> ($ext_if)
# NAT on DMZ -> INET (but not on DMZ -> LAN)
nat on $ext_if tag DMZ_INET_NAT tagged DMZ_INET -> ($ext_if)
# spamd
#no rdr on egress proto tcp from <nospamd> to any port smtp
#no rdr on egress proto tcp from <spamd-white> to any port smtp
#rdr pass on egress proto tcp from any to any port smtp -> 127.0.0.1 port spamd
#rdr on $ext_if proto tcp from <spamd-white> to ($ext_if) port smtp tag INET_ESPOIR -> $espoir
rdr pass on $ext_if proto tcp from !<spamd-white> to ($ext_if) port smtp -> $localhost port spamd
# arbeit
rdr on $ext_if proto tcp from any to any port $arbeit_services_tcp -> $arbeit
rdr on $ext_if proto udp from any to any port $arbeit_services_udp -> $arbeit
# espoir
rdr on $ext_if proto tcp from any to any port $espoir_services_tcp -> $espoir
######################
# VII - FILTER RULES #
######################
antispoof log quick for $int_if
antispoof log quick for $dmz_if
# Default deny policy.
block in quick inet6 all
block on $ext_if
block on $int_if
block in on $dmz_if
block out log on $dmz_if
# Turning away the brutes
block in quick on $ext_if from <bruteforce>
# Non-routable addresses from elsewhere...
block in quick on $ext_if from <martians> to any
block out quick on $ext_if from any to <martians>
pass inet proto icmp all icmp-type $icmp_types keep state
# INET -> GATEWAY
# INET -> origine
# Nothing. :)
# GATEWAY -> INET
# origine -> INET
pass out log quick on $ext_if from ($ext_if) keep state
# DMZ -> GATEWAY
# espoir -> origine
# NTP
pass in log quick on $dmz_if proto tcp from $espoir to ($dmz_if) port $origine_services_dmz_tcp keep state # TCP
pass in log quick on $dmz_if proto udp from $espoir to ($dmz_if) port $origine_services_dmz_udp keep state # UDP
# GATEWAY -> DMZ
# espoir -> origine
# Nothing. :)
# LAN -> GATEWAY
# LAN -> origine
# SSH
pass in log quick on $int_if proto tcp from $int_net to ($int_if) port $origine_services_lan_tcp keep state # TCP
pass in log quick on $int_if proto udp from $int_net to ($int_if) port $origine_services_lan_udp keep state # UDP
# GATEWAY -> LAN
# Nothing. :)
# LAN -> INET
# Remember: those rules are NATed...
pass in quick on $int_if from $int_net to !$dmz_net tag LAN_INET keep state
pass out quick on $ext_if tagged LAN_INET_NAT keep state
# INET -> LAN
# INET -> arbeit
# e-mule (Hi HADOPI !)
pass in on $ext_if proto tcp to $arbeit port $arbeit_services_tcp tag INET_ARBEIT_TCP keep state
pass in on $ext_if proto udp to $arbeit port $arbeit_services_tcp tag INET_ARBEIT_UDP keep state
pass out on $int_if tagged INET_ARBEIT_TCP keep state
pass out on $int_if tagged INET_ARBEIT_UDP keep state
# LAN -> DMZ
# LAN -> espoir
pass in log quick on $int_if proto tcp from $int_net to $espoir port $espoir_services_tcp tag LAN_ESPOIR_TCP keep state # TCP
pass in log quick on $int_if proto udp from $int_net to $espoir tag LAN_ESPOIR_UDP # UDP
pass out quick on $dmz_if tagged LAN_ESPOIR_TCP keep state
pass out quick on $dmz_if tagged LAN_ESPOIR_UDP keep state
# DMZ -> LAN
# espoir -> LAN
# pass in log on $dmz_if from $espoir to $int_net keep state
# INET -> DMZ
# INET -> espoir
# Turning away the brutes.
pass in log quick on $ext_if proto tcp to $espoir port ssh tag INET_ESPOIR flags S/SA synproxy state \
(max-src-conn 25, max-src-conn-rate 10/5, overload <bruteforce> flush global)
pass in log on $ext_if proto tcp to $espoir port $espoir_services_tcp tag INET_ESPOIR flags S/SFRA synproxy state
pass out quick on $dmz_if tagged INET_ESPOIR keep state
# DMZ -> INET
# espoir -> INET
# Remember: thoses rules are NATed...
pass in log quick on $dmz_if from $espoir to !$int_net tag DMZ_INET keep state
pass out quick on $ext_if tagged DMZ_INET_NAT keep state
OpenBSD 4.5 (GENERIC) #0: Sat May 23 10:34:00 CEST 2009
maxime@origine.truc.bidule:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: AMD-K6(tm) 3D processor ("AuthenticAMD" 586-class) 502 MHz
cpu0: FPU,V86,DE,PSE,TSC,MSR,MCE,CX8,PGE,MMX
real mem = 133775360 (127MB)
avail mem = 121077760 (115MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 12/17/98, BIOS32 rev. 0 @ 0xf0530
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
pcibios0 at bios0: rev 2.1 @ 0xf0000/0xbb2
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf0b40/112 (5 entries)
pcibios0: PCI Interrupt Router at 000:07:0 ("Acer Labs M1533 ISA" rev 0x00)
pcibios0: PCI bus #2 is the last bus
bios0: ROM list: 0xc0000/0x10000 0xd0000/0x800
cpu0 at mainbus0: (uniprocessor)
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 "Acer Labs M1541 PCI" rev 0x04
aliagp0 at pchb0
agp0 at aliagp0: aperture at 0xd8000000, size 0x4000000
ppb0 at pci0 dev 1 function 0 "Acer Labs M5243 AGP/PCI-PCI" rev 0x04
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 "S3 Savage 4" rev 0x02
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
ohci0 at pci0 dev 2 function 0 "Acer Labs M5237 USB" rev 0x03: irq 3, version 1.0, legacy support
alipm0 at pci0 dev 3 function 0 "Acer Labs M7101 Power" rev 0x00: SMBus disabled
pcib0 at pci0 dev 7 function 0 "Acer Labs M1533 ISA" rev 0xc3
ppb1 at pci0 dev 10 function 0 "IBM 82351 PCI-PCI" rev 0x01
pci2 at ppb1 bus 2
tl0 at pci2 dev 0 function 0 "Compaq DP Netelligent 10/100TX" rev 0x10: irq 15 address 00:08:c7:5f:78:48
nsphy0 at tl0 phy 1: DP83840 10/100 PHY, rev. 1
ukphy0 at tl0 phy 31: Generic IEEE 802.3u media interface, rev. 5: OUI 0x100014, model 0x0001
tl1 at pci2 dev 1 function 0 "Compaq DP Netelligent 10/100TX" rev 0x10: irq 4 address 00:08:c7:5f:78:c8
nsphy1 at tl1 phy 1: DP83840 10/100 PHY, rev. 1
ukphy1 at tl1 phy 31: Generic IEEE 802.3u media interface, rev. 5: OUI 0x100014, model 0x0001
fxp0 at pci0 dev 11 function 0 "Intel 8255x" rev 0x05, i82558: irq 10, address 00:04:ac:98:cb:ad
inphy0 at fxp0 phy 1: i82555 10/100 PHY, rev. 0
pciide0 at pci0 dev 15 function 0 "Acer Labs M5229 UDMA IDE" rev 0xc1: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility
wd0 at pciide0 channel 0 drive 0: <IBM-DTLA-305030>
wd0: 16-sector PIO, LBA, 29314MB, 60036480 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
pciide0: channel 1 ignored (disabled)
usb0 at ohci0: USB revision 1.0
uhub0 at usb0 "Acer Labs OHCI root hub" rev 1.00/1.00 addr 1
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: <PC speaker>
spkr0 at pcppi0
lm0 at isa0 port 0x290/8: W83781D
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
biomask 7bed netmask fffd ttymask ffff
mtrr: K6-family MTRR support (2 registers)
softraid0 at root
root on wd0a swap on wd0b dump on wd0b
wd0a: DMA error reading fsbn 16 of 16-31 (wd0 bn 79; cn 0 tn 1 sn 16), retrying
wd0: transfer error, downgrading to Ultra-DMA mode 1
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 1
wd0a: DMA error reading fsbn 16 of 16-31 (wd0 bn 79; cn 0 tn 1 sn 16), retrying
wd0: soft error (corrected)
$ sysctl hw
hw.machine=i386
hw.model=AMD-K6(tm) 3D processor ("AuthenticAMD" 586-class)
hw.ncpu=1
hw.byteorder=1234
hw.pagesize=4096
hw.disknames=wd0,fd0
hw.diskcount=2
hw.sensors.lm0.temp0=34.00 degC
hw.sensors.lm0.temp1=32.50 degC
hw.sensors.lm0.volt0=2.26 VDC (VCore A)
hw.sensors.lm0.volt1=2.24 VDC (VCore B)
hw.sensors.lm0.volt2=3.52 VDC (+3.3V)
hw.sensors.lm0.volt3=4.97 VDC (+5V)
hw.sensors.lm0.volt4=12.34 VDC (+12V)
hw.sensors.lm0.volt5=-11.85 VDC (-12V)
hw.sensors.lm0.volt6=-5.03 VDC (-5V)
hw.cpuspeed=502
hw.physmem=133775360
hw.usermem=133763072