Communication between routing domains and nat

kaycee gb kisscoolandthegangbang at hotmail.fr
Thu Mar 5 09:50:28 UTC 2020 

Here is my pf.conf. I tried to slim it down as much as possible and in the same
time preserve important informations in my opinion. I can reproduce what I said
before with those lines. 



table <reserved> { $private_nets }
table <xcast> { $bcast_nets, $ext_if:broadcast }
table <sshguard> persist
table <torenodes> persist
nat on $ext_if inet from $j2 to any port 53 -> ( $ext_if ) 
pass quick on lo0 from 127.0.0.1 to 127.0.0.1
pass quick on lo0 from $j2 to $j2 rtable 2
block log quick on lo0
block log quick on jsw1
pass out log quick on jsw2 proto udp from $j2 to $service1 port 53 rtable 0
pass out log quick on jsw2 proto udp from $j2 to $service1ext port 53 rtable 0
block log quick on jsw2
pass in quick on tun0 proto udp from $tun0net to $vcns port 53 rtable 0
pass quick on { tun0, tun1 } proto gre
block log quick on tun0
block log quick on tun1
pass in quick on gre0 proto ospf from { $gre0vc, $gre0rsn }
pass in quick on gre1 proto ospf from { $gre1vc, $gre1rsn }
pass out quick on gre0 proto ospf from { $gre0vc, $gre0rsn }
pass out quick on gre1 proto ospf from { $gre1vc, $gre1rsn }
pass in quick on { gre0, gre1 } proto udp from $service1 to $vcns port 53
rtable 0 
pass in quick on { gre0, gre1 } proto udp from $rsnnet2 to $vcns port
53 rtable 0 
pass in quick on { gre0, gre1 } proto tcp from $service1 to $vcns
port 53 rtable 0 
pass in quick on { gre0, gre1 } proto tcp from $rsnnet2 to
$vcns port 53 rtable 0 
pass in quick on { gre0, gre1 } proto tcp from
{ $rsnnet1, $rsnnet2 } to $vcsrv port 22 
pass quick on { gre0, gre1 } proto gre
block log quick on gre0
block log quick on gre1
block log quick on gre2
block in quick on $ext_if from <sshguard>
block in quick on $ext_if from <reserved>
block in quick on $ext_if to <xcast>
block in quick on $ext_if proto tcp from <torenodes> to $ext_ip port 22
pass in quick on $ext_if proto tcp from any to $ext_ip port 22
block in log quick on $ext_if to $ext_ip
pass out quick on $ext_if from $ext_ip
block out log quick on $ext_if from ! $ext_ip
block log quick


Maybe someone would see something I can't see myself. 

kaycee,

More information about the freebsd-pf mailing list