>
>>
>>pass in quick on lo0 all
>>pass out quick on lo0 all
>>pass in quick on $int_if proto { tcp } from $internal_net to
>>any port { 80, 443 } keep state
>>pass out quick on $ext_if proto { tcp } from $external_addr to
>>any port { 80,443 } keep state
>>
>А эти правила разрешат входящий и исходящий трафик для броузания или они
>и апач если он у меня запущен откроют наружу???
#########################
# Interfaces & Networks #
#########################
ext_if="vr0"
int_if="fxp0"
internal_net="10.10.1.0/24"
external_addr="195.x.x.y"
1:scrub in all
#############
# NAT Rules #
#############
2:nat on $ext_if from $internal_net to any -> ($ext_if)
####################################
3:pass in quick on lo0 all
4:pass out quick on lo0 all
5:pass in quick on $int_if proto { tcp } from $internal_net to any port { 80, 443 } keep state
6:pass out quick on $ext_if proto { tcp } from $external_addr to any port { 80,443 } keep state
####################################
# Allow SSH & ping #
####################################
7:pass in quick on $ext_if inet proto icmp from 195.x.x.x to $ext_if icmp-type 8 keep state
8:pass in quick on $ext_if inet proto tcp from 195.x.x.x to $ext_if port 22 keep state
##############
# Allow Mail #
##############
9:pass in quick on $ext_if inet proto tcp from any to $ext_if port 25 keep state
####################################
10:block in on $ext_if from any to any
Voob6e po umol4aniju, po krainei mere v OpenBSD, pri aktivizacii pf filtra
ispolzujetca pass politika. Dumaju vo FreeBSD tak-zhe. A danije pravila
napisani dla block politiki po umol4aniju. V protivnom slu4aje net smisla v
3,4 i 5 pravilah. 6 pravilo togda budet nuzno tolko dla togo 4tobi sozdat
zapis v state table i razre6it vhoda6ij trafik ot web serverov, k toroim
obra6alis klienti, pri uslovii 4to ispolzujetca 10 pravilo i luboi vhoda6ij
trafik blokirujetca.
Luboi vhoda6ij trafik zapre6ajecta na vne6nem if 10 pravilom, posemu
Apache rabotat ne budet. NO dla vnutrennih obra6enij na vnutrennem if
Apache budet rabotat, pri uslovii 4to on nahoditca na 195.x.x.y ma6ine