int_if vr0 modem_if rl0 ext_if rl0 admin_comp 192 168 112 sergaeva_com

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
int_if="vr0"
#modem_if="rl0"
ext_if="rl0"
#▒▒▒ ▒▒▒▒
admin_comp="192.168.112.6"
sergaeva_comp="192.168.112.22"
sveta_comp="192.168.112.9"
lena_comp="192.168.112.1"
yurist_comp="192.168.112.4"
ira_comp="192.168.112.3"
zluka_comp="192.168.112.5"
test_comp="192.168.112.23"
sklad_comp="192.168.112.15"
marina_comp="192.168.112.25"
sheff_comp="192.168.112.55"
server_comp="192.168.112.254"
most_comp="192.168.1.200"
serv_port="3389"
icmp_types="echoreq"
#▒▒▒▒▒▒▒ ▒▒▒▒▒ ▒▒▒ ▒▒▒▒▒▒
table <allowed> const { $admin_comp, $server_comp, $sergaeva_comp, $yurist_comp, $marina_comp, $lena_comp, $zluka_comp, $test_comp, $sveta_comp, $sheff_comp }
#▒▒▒▒▒▒▒▒ ▒▒-▒▒▒▒▒▒▒▒▒
set block-policy drop
#▒▒▒▒▒▒▒▒▒▒ ▒▒▒▒▒▒▒▒ ▒▒▒▒▒▒▒▒▒
set skip on {lo0}
set block-policy return
set loginterface $ext_if
scrub in all no-df
scrub out all random-id max-mss 1360
nat pass log (all) on $ext_if inet proto tcp from <allowed> to any -> ($ext_if)
rdr on $ext_if inet proto tcp to $ext_if port $serv_port -> $server_comp port $serv_port
rdr on $ext_if inet proto tcp to $ext_if port 5555 -> $sergaeva_comp port 5555
rdr on $ext_if inet proto tcp to $ext_if port 5556 -> $marina_comp port 5556
rdr on $ext_if inet proto tcp to $ext_if port 5557 -> $lena_comp port 5557
rdr on $ext_if inet proto tcp to $ext_if port 5558 -> $ira_comp port 5558
rdr inet proto tcp from <allowed> to any port www -> 192.168.112.251 port 3128
block all
pass out on { $ext_if $int_if } proto { tcp udp icmp } all modulate state
pass out quick on $ext_if inet proto tcp from 192.168.112.251 to any port www keep state
pass in on $ext_if proto tcp from any to ($ext_if) port $serv_port flags S/SA keep state
pass in on $ext_if proto tcp from any to ($ext_if) port ssh flags S/SA keep state
pass in quick on $int_if proto tcp from any to $int_if port ssh flags S/SA keep state
# DNS
pass in on $int_if inet proto udp from $int_if:network to $int_if port 53 keep state
pass in inet proto icmp all icmp-type $icmp_types keep state
pass in quick on $int_if inet proto {tcp udp icmp} from <allowed> to any keep state
pass out on $int_if from any to $int_if:network keep state
#snmp
pass in quick inet proto {udp} from any to any port 161
pass out quick inet proto {udp} from any port 161 to any