Re: Removing PF

[Brian Buhrow <buhrow%nfbcal.org@localhost>]

	hello.  I can explain this feature.  I use it in two ways.

	I use a number of public IP addresses from one ISP, whose service is
delivered through a VPN via another ISP.  Except for the traffic destined
for the far end of the VPN itself, I want all traffic to get routed through
the VPN and for any state information to be tracked through the VPN.  Below
is an example configuration.
The second way I use this is to do essentially the same thing, but to also
explicitly set the destination address on the packets destined for the far
end of the firewall itself.


Let me know if I can explain this more clearly.

-thanks
-Brian


First example:

#	$NetBSD: pf.conf,v 1.3 2005/03/15 16:05:03 peter Exp $
#	$OpenBSD: pf.conf,v 1.28 2004/04/29 21:03:09 frantzen Exp $
#
# See pf.conf(5) and /usr/share/examples/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.

ext_if="vlan20"
int_if="wm0"
vpn_if="tun0"

#set options here
set block-policy drop
set skip on $vpn_if
set skip on lo0

scrub in all 

#internal filtering rules
pass in quick on $int_if from $int_if:network to $int_if:network 
pass in quick on $int_if from $int_if:network to 10.157.0.0/16 
pass in quick on $int_if from $int_if:network to 172.209.0.0/18 
pass in quick on $int_if from $int_if:network to 10.0.0.0/8 
#Pass internal network traffic through the VPN to expose it to the Internet
pass in quick on $int_if route-to $vpn_if from $int_if:network to any keep state
pass out quick on $int_if from $int_if:network to $int_if:network 
pass out quick on $int_if from 10.157.0.0/16 to $int_if:network 
pass out quick on $int_if from 172.209.0.0/18 to $int_if:network 
pass out quick on $int_if from 10.0.0.0/8 to $int_if:network 
# The next two lines are the traffic we let into the network unsolicited.
pass out quick on $int_if reply-to $vpn_if inet proto udp to 10.157.230.0/24 port 1723 keep state
pass out quick on $int_if reply-to $vpn_if inet proto tcp to 10.157.230.11 port { 22, 25, 53, 80, 110, 143, 443, 587, 993, 995 } keep state
block out quick on $int_if reply-to $vpn_if inet proto udp to $int_if:network port { 19, 111, 137, 161, 5060 }
block out quick on $int_if from any to any 

#Let all pass through the VPN tunnel interface
pass in quick on $vpn_if from any to any 
pass out quick on $vpn_if from any to any 

#external filtering rules
pass out quick on $ext_if from ($ext_if) to any keep state
pass in quick on $ext_if inet proto icmp from any to ($ext_if) icmp-type echoreq keep state

block all

Second example:

# Allow the back office to keep using old addresses (06/26/2017)
pass in quick on $dmz_if from $dmz_if:network to $dmz_if:network no state
pass in quick on $dmz_if from $dmz_if:network to $private_if:network no state
#Pass internal network traffic through the VPN to expose it to the Internet
pass in quick on $dmz_if route-to { ($vpn_if 10.157.9.105) }  from $dmz_if:network to any keep state
pass out quick on $dmz_if from $dmz_if:network to $dmz_if:network no state
pass out quick on $dmz_if from $private_if:network to $dmz_if:network no state
# The next line lets unsolicited inbound traffic come into the network.
pass out quick on $dmz_if reply-to { ($vpn_if 10.157.9.105) } from any to $dmz_if:network keep state
block out quick on $dmz_if from any to any no state