tech-net: Re: PF and TCP Window Scaling in NetBSD 3.0

Subject: Re: PF and TCP Window Scaling in NetBSD 3.0
To: None <tech-net@netbsd.org>
From: Joerg Roedel <joro-bsd@zlug.org>
List: tech-net
Date: 07/11/2006 14:56:25

On Tue, Jul 11, 2006 at 01:39:30PM +0100, Rui Paulo wrote:

Hi,

> Can you show us your filtering rules?

Sure, here a the complete rules (NAT and filter):

------------------------------<snip>------------------
set optimization conservative

ext_if="{ ne2, gif0, tap0 }"
int_if="{ tlp0, lo0 }"
private_nets="{ 192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12 }"
mynet="192.168.1.0/24"

# nat
nat on ne2 inet from ! ne2 to any -> ne2
nat on tap0 inet from ! tap0 to any -> tap0

# packet filter
block return in
antispoof for $ext_if
block drop in on ne2 from any to $private_nets
block drop in on $ext_if from any to $mynet
pass out keep state
pass inet proto icmp all keep state
pass inet6 proto icmp6 all keep state
pass in on $int_if
pass in proto tcp from any to any port 22 keep state
------------------------------<snap>------------------