Pf

PF

Commands

  • Reload

    pf -F all -f /usr/local/etc/pf.conf

    WARNING: This will disconnect the current ssh connection

Example

#       $FreeBSD: releng/11.1/share/examples/pf/pf.conf 293862 2016-01-14 01:32:17Z kevlo $
#       $OpenBSD: pf.conf,v 1.34 2007/02/24 19:30:59 millert Exp $
#
# See pf.conf(5) and /usr/share/examples/pf for syntax and examples.
# Remember to set gateway_enable="YES" and/or ipv6_gateway_enable="YES"
# in /etc/rc.conf if packets are to be forwarded between interfaces.

ext_if="vmx0"
lo_if="lo0"
jail_if="bridge0"
jail_net=$jail_if:network

# Jail IPs
minecraft_ip="10.0.0.3"
plex_ip="10.0.0.5"
samba_ip="10.0.0.6"
nginx_proxy_ip="10.0.0.9"
mariadb_ip="10.0.0.15"
home_ip="10.0.0.16"
postfix_ip="10.0.0.7"

fedpod_ip="192.168.1.24"

tcp_services = "{ ssh, domain, http, https, ftp, ftp-data, ntp }"
udp_services = "{ domain, ntp }"

minecraft_services = "25565"
plex_tcp_services = "32400"
mariadb_tcp_services = "mysql"
nginx_proxy_tcp_services = "{ http, https, 8123 }"
samba_tcp_services = "microsoft-ds"
home_tcp_services = "1883"

plex_dlna_udp_services = "1900"
plex_dlna_tcp_services = "32469"

# Options
set loginterface $ext_if

set skip on $lo_if
set skip on $jail_if
scrub in all fragment reassemble

# -> ($ext_if) if ip on interface is dynamic
nat on $ext_if from $jail_net to any -> ($ext_if)
rdr pass on $ext_if proto { tcp, udp } from any to ($ext_if) port $minecraft_services -> $minecraft_ip
rdr pass on $ext_if proto tcp from any to ($ext_if) port $plex_tcp_services -> $plex_ip
rdr pass on $ext_if proto tcp from any to ($ext_if) port $mariadb_tcp_services -> $mariadb_ip
rdr pass on $ext_if proto tcp from any to ($ext_if) port $nginx_proxy_tcp_services -> $nginx_proxy_ip
rdr pass on $ext_if proto { tcp } from any to ($ext_if) port $samba_tcp_services -> $samba_ip
rdr pass on $ext_if proto { tcp } from any to ($ext_if) port $home_tcp_services -> $home_ip
rdr pass on $ext_if proto { tcp } from $fedpod_ip to ($ext_if) port smtp -> $postfix_ip

block in log all

pass inet proto icmp from any to any

pass out on $ext_if proto tcp to any port $tcp_services keep state
pass out on $ext_if proto udp to any port $udp_services keep state

pass in on $ext_if proto tcp to ($ext_if) port ssh keep state