/etc/pf.conf
#pfctl -e -F all -f /etc/pf.conf
#pfctl -f /etc/pf.conf # ....pf.conf ...
#pfctl -nf /etc/pf.conf # .............
#pfctl -Nf /etc/pf.conf # ... NAT ....
#pfctl -Rf /etc/pf.conf # ............
#pfctl -sn # ..... NAT ...
#pfctl -sr # ..........
#pfctl -ss # ...........
#pfctl -si # ..............
#pfctl -sa # ............
ext_if="vlan1820" # replace with actual external interface name i.e., dc0
int_if="vlan1900" # replace with actual internal interface name i.e., dc1
edu_if="vlan1810"
zhigao_if="vlan1910"
intnet="192.168.0.0/16"
edunet="10.0.0.0/8"
external_addr="220.189.209.163"
routerip ="220.189.209.161"
loop = "127.0.0.1"
priv_nets = "{127.0.0.1/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 255.255.255.255/32}"
tcp_services = "80"
icmp_types ="echoreq"
InsideManagerIPs = "192.168.10.103"
InsiteManagerOpenPorts = "4899"
# Tables: similar to macros, but more flexible for many addresses.
#table <foo> { 10.0.0.0/8, !10.1.0.0/16, 192.168.0.0/24, 192.168.1.18 }
# Options: tune the behavior of pf, default values are given.
#set timeout { interval 10, frag 30 }
#set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
#set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
#set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
#set timeout { icmp.first 20, icmp.error 10 }
#set timeout { other.first 60, other.single 30, other.multiple 60 }
#set timeout { adaptive.start 0, adaptive.end 0 }
#set limit { states 10000, frags 5000 }
#set loginterface none
set optimization aggressive
scrub in all
#set optimization normal
#set block-policy drop
#set require-order yes
#set fingerprints "/etc/pf.os"
# Queueing: rule-based bandwidth control.
#altq on $ext_if bandwidth 2Mb cbq queue { dflt, developers, marketing }
#queue dflt bandwidth 5% cbq(default)
#queue developers bandwidth 80%
#queue marketing bandwidth 15%
# Translation: specify how addresses are to be mapped or redirected.
# nat: packets going out through $ext_if with source address $internal_net will
# get translated as coming from the address of $ext_if, a state is created for
# such packets, and incoming packets will be redirected to the internal address.
nat on $ext_if from $intnet to any -> ($ext_if)
nat on $edu_if from $intnet to any -> ($edu_if)
# rdr: packets coming in on $ext_if with destination $external_addr:1234 will
# be redirected to 10.1.1.1:5678. A state is created for such packets, and
# outgoing packets will be translated as coming from the external address.
#rdr on $ext_if proto tcp from any to $external_addr/32 port 1234 -> 10.1.1.1 port 5678
#rdr on $int_if inet proto tcp from 192.168.0.0/16 to any port www -> 127.0.0.1 port 3128
rdr pass on $ext_if proto tcp from any to $ext_if port www -> 192.168.0.3 port www
rdr pass on $edu_if proto tcp from any to $edu_if port www -> 192.168.0.3 port www
rdr pass on $ext_if proto tcp from any to $ext_if port ftp -> 192.168.0.3 port ftp
rdr pass on $edu_if proto tcp from any to $edu_if port ftp -> 192.168.0.3 port ftp
rdr pass on $ext_if proto tcp from any to $ext_if port 4893 -> 192.168.0.3 port 4899
pass in on $int_if inet proto tcp from any to 192.168.0.2 port 3128 keep state
pass out on $ext_if inet proto tcp from any to any port www keep state
# rdr outgoing FTP requests to the ftp-proxy
#rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021
# spamd-setup puts addresses to be redirected into table <spamd>.
#table <spamd> persist
#no rdr on { lo0, lo1 } from any to any
#rdr inet proto tcp from <spamd> to any port smtp -> 127.0.0.1 port 8025
# Filtering: the implicit first two rules are
#pass in all
#pass out all
# block all incoming packets but allow ssh, pass all outgoing tcp and udp
# connections and keep state, logging blocked packets.
#block in all
pass in on $ext_if proto tcp from any to $ext_if port 22 keep state
pass in on $edu_if proto tcp from any to $edu_if port 22 keep state
pass in on $int_if proto tcp from any to $int_if port 22 keep state
pass out on $ext_if proto { tcp, udp } all keep state
pass out on $edu_if proto { tcp, udp } all keep state
#pass all on $int_if all
# pass incoming packets destined to the addresses given in table <foo>.
#pass in on $ext_if proto { tcp, udp } from any to <foo> port 80 keep state
# pass incoming ports for ftp-proxy
#pass in on $ext_if inet proto tcp from any to $ext_if user proxy keep state
# assign packets to a queue.
#pass out on $ext_if from 192.168.0.0/24 to any keep state queue developers
#pass out on $ext_if from 192.168.1.0/24 to any keep state queue marketing
#block all
pass in quick on $int_if all
pass out quick on $int_if all
pass in quick on $loop all
pass out quick on $loop all # ÔÊÔS localhost ·â°üͨÐÐ
block in quick on $ext_if inet from $priv_nets to any
#block in log quick on $ext inet from any to $priv_nets
LSassVirusPort = "{445, 135, 139, 593, 1433, 5554, 9996, 9995}"
block quick on $ext_if inet proto tcp from any to any port $LSassVirusPort
block quick on $edu_if inet proto tcp from any to any port $LSassVirusPort
block quick on $zhigao_if inet proto tcp from any to any port $LSassVirusPort
#gameClientPorts = "{4002, 2000, 3838, 4410, 4210, 4230, 5005, 4290, 10010 }"
#GameDenyClients ="{192.168.1.0/24, 192.168.0.0/24, 192.168.20.0/24, 192.168.21.0/24}"
#GameServerIps = "{204.251.15.167, 61.152.93.145}"
#block quick on $int_if inet proto tcp from $GameDenyClients to any port $gameClientPorts
#block quick on $ext_if from $GameServerIps to $GameDenyClients
#block quick on $int_if from $GameDenyClients to $GameServerIps
#LSassVirusIp ="{192.168.0.165}"
#block quick on $int_if from $LSassVirusIp to any
#SoftRegistry = "{66.40.33.130, 218.242.90.0/24, 61.228.35.0/24, 61.175.171.12}"
#block quick on $ext_if from $SoftRegistry to any
#block quick on $int_if from any to $SoftRegistry
#AdServers3721 = "{60.191.5.128/27, 218.244.45.0/24, 218.244.44.0/24, 219.235.39.0/24, 202.43.217.107, \
#202.43.217.108, 61.135.128.211, 61.135.128.212, cns.3721.net, cns.3721.com }"
#block quick on $ext_if from $AdServers3721 to any
#block quick on $int_if from any to $AdServers3721
#kuroIPs ="{61.135.156.198/24}"
#block quick on $ext_if from $kuroIPs to $GameDenyClients
#block quick on $int_if from $GameDenyClients to $kuroIPs
#SinaAdsIPs = "{ad2.sina.com.cn, ad3.sina.com.cn, ad4.sina.com.cn, 101.adsina.allyes.com}"
#block quick on $ext_if from $SinaAdsIPs to any
#block quick on $int_if from any to $SinaAdsIPs
#NeteasePopoIPs="{202.108.42.183, 202.108.42.170, 202.108.42.173, 202.108.42.175, 202.108.42.174}"
#PopoDenyClients="{192.168.3.0/24, 192.168.4.0/24, 192.168.6.0/24, 192.168.7.0/24}"
#block quick on $ext_if from $NeteasePopoIPs to $PopoDenyClients
#block quick on $int_if from $PopoDenyClients to $NeteasePopoIPs
#NeteasePaopaotangIPs="{61.172.247.86, 61.172.249.243, 218.80.109.159, 61.147.251.58, 61.187.207.245, \
#61.242.158.167, 61.152.97.147, 61.172.254.142, 61.172.249.242, 210.51.29.24/24, 211.152.178.73, \
#218.6.246.68, 218.77.10.135, 218.64.68.51, 218.65.0.218, 221.12.10.42}"
#block quick on $ext_if from $NeteasePaopaotangIPs to $GameDenyClients
#block quick on $int_if from $GameDenyClients to $NeteasePaopaotangIPs
#jlonline="{61.177.56.251, 61.132.74.81, 61.132.74.244, 61.152.93.145}"
#block quick on $ext_if from $jlonline to $GameDenyClients
#block quick on $int_if from $GameDenyClients to $jlonline
#ourgame="{202.108.36.77, 218.30.70.76, 61.151.253.182, 218.25.253.163, 61.183.254.69}"
#block quick on $ext_if from $ourgame to $GameDenyClients
#block quick on $int_if from $GameDenyClients to $ourgame
#mu="{210.51.27.121/24, 61.129.93.100, 61.129.93.101, 61.129.93.102, 61.129.93.103, \
#61.129.93.104, 61.129.93.105, 61.129.93.106, 61.129.93.107, 61.129.93.108, 61.129.93.109, 61.129.93.110}"
#block quick on $ext_if from $mu to 192.168.0.0/20
#block quick on $int_if from 192.168.0.0/20 to $mu
#XIPs="{67.19.37.168, 67.19.37.168}"
#block quick on $ext_if from $XIPs to 192.168.0.0/20
#block quick on $int_if from 192.168.0.0/20 to $XIPs
#chinagames = "{61.128.193.113, 61.132.112.196, 61.132.118.35, 61.134.4.243, 61.136.63.65, 61.136.63.66, \
#61.136.63.68, 61.136.63.71, 61.138.15.105, 61.138.15.112, 61.138.15.114, 61.139.76.86, \
#61.139.77.110, 61.144.56.30, 61.144.56.34, 61.144.56.7, 61.153.17.8, 61.153.19.101, \
#61.153.19.102, 61.153.19.120, 61.153.198.198, 61.153.198.199, 61.153.198.200, 61.153.24.134, \
#61.153.253.28, 61.153.3.114, 61.153.3.12, 61.153.3.124, 61.153.3.125, 61.153.3.20, \
#61.153.3.218, 61.153.3.89, 61.153.37.199, 61.153.37.222, 61.153.52.183, 61.153.52.184, \
#61.153.52.185, 61.153.8.188, 61.153.8.50, 61.153.8.51, 61.153.8.53, 61.153.8.54, 61.153.8.55, \
#61.153.8.56, 61.153.85.19, 61.156.12.28, 61.156.17.115, 61.158.97.35, 61.159.229.21, \
#61.166.155.166, 61.180.119.10, 61.241.130.59, 61.241.130.60, 61.243.222.25, 61.243.222.26, \
#61.243.222.27, 61.243.222.28, 61.243.232.20, 202.100.218.15, 202.101.10.119, 202.101.165.0/24, \
#202.101.165.166, 202.101.165.233, 202.101.165.234, 202.101.165.235, 202.101.165.237, 202.101.165.54, \
#202.101.165.55, 202.101.165.72, 202.102.197.5, 202.102.245.44, 202.102.29.210, 202.103.134.123, \
#202.103.134.172, 202.103.25.84, 202.106.182.120, 202.106.182.123, 202.106.186.17, 202.107.225.55, \
#202.107.225.56, 202.107.225.57, 202.107.234.34, 202.107.236.188, 202.107.236.190, 202.107.245.13, \
#202.107.245.7, 202.108.255.10, 202.108.255.120, 202.108.255.71, 202.108.255.72, 202.108.36.100, \
#202.108.36.102, 202.108.36.115, 202.108.36.116, 202.108.36.74, 202.108.36.76, 202.108.36.77, \
#202.108.36.91, 202.108.36.95, 202.108.36.96, 202.108.36.97, 202.113.15.66, 202.96.108.19, \
#202.96.112.57, 202.96.113.20, 202.96.114.245, 202.96.75.247, 202.97.174.244, 202.97.181.87, \
#202.98.111.2, 202.98.228.144, 202.98.9.109, 202.99.160.120, 202.99.160.121, 202.99.160.36, \
#202.99.160.57, 202.99.168.34, 202.99.171.162, 202.99.219.238, 209.10.17.133, 209.73.225.7, \
#210.51.248.61, 210.52.2.149, 210.52.27.9, 210.52.77.60, 210.76.59.199, 210.78.159.151, \
#210.78.159.200, 210.83.127.14, 210.83.130.32, 210.83.130.54, 210.83.130.71, 211.140.137.125, \
#210.78.159.200, 210.83.127.14, 210.83.130.32, 210.83.130.54, 210.83.130.71, 211.140.137.125, \
#211.144.9.17, 211.144.9.19, 211.144.9.22, 211.144.9.26, 211.144.9.30, 211.158.10.16, 211.163.117.30, \
#211.167.148.203, 211.167.98.6, 211.90.184.52, 211.90.241.37, 211.90.241.38, 211.90.241.39, 211.90.241.40, \
#211.91.13.51, 211.91.13.52, 211.91.135.67, 211.91.2.57, 211.91.255.130, 211.93.24.31, 211.93.64.2, \
#211.93.64.3, 211.93.64.4, 211.93.64.5, 211.95.129.152, 211.98.149.118, 218.104.136.6, 218.104.136.6, \
#218.104.45.2, 218.106.206.158, 218.106.241.247, 218.244.44.10, 218.244.46.2, 218.25.230.10, 218.27.190.91, \
#218.27.4.52, 218.57.200.21, 218.66.101.14, 218.7.160.71, 218.75.79.0/24, 218.75.79.189, 218.75.79.190, \
#218.95.255.174, 219.133.44.0/24, 219.133.45.0/24, 219.133.46.0/24, 219.133.47.0/24, 219.146.1.208, 220.184.25.54}"
#block quick on $int_if from $GameDenyClients to $chinagames
#block quick on $ext_if from $chinagames to $GameDenyClients
#QQServerIPs = "{202.103.149.40, 202.103.190.61, 202.104.129.151, 202.104.129.242, 202.104.129.246, \
#202.104.129.251, 202.104.129.252, 202.104.129.253, 202.104.129.254, 202.96.170.163, 202.96.170.164, \
#202.96.170.165, 202.96.170.166, 202.96.170.175, 202.96.170.188, 211.157.38.38 , 218.17.209.23, \
#218.17.209.42, 218.17.217.103, 218.17.217.106, 218.18.95.140, 218.18.95.153, 218.18.95.165, \
#218.18.95.171, 218.18.95.209, 218.18.95.221, 219.133.40.15, 219.133.40.157, 219.133.40.177, \
#219.133.40.189, 219.133.40.21, 219.133.40.216, 219.133.40.73, 219.133.40.89, 219.133.40.90, \
#219.133.40.92, 219.133.40.95, 219.133.40.97, 219.133.45.15, 61.135.131.240, 61.141.194.200, \
#61.141.194.203, 61.141.194.224, 61.141.194.227, 61.141.194.231, 61.144.238.137, 61.144.238.145, \
#61.144.238.146, 61.144.238.149, 61.144.238.150, 61.144.238.151, 61.144.238.155, 61.144.238.156, \
#61.172.249.135, 65.54.229.253, 219.133.40.0/24}"
#QQDenyClients = "{192.168.20.0/24, 192.168.21.0/24}"
#QQAllowClients = "{192.168.0.0/24, 192.168.1.0/24, 192.168.2.0/24, 192.168.3.0/24}"
#pass quick on $int_if from $QQAllowClients to $QQServerIPs
#pass quick on $ext_if from $QQServerIPs to $QQAllowClients
#block quick on $int_if from $QQDenyClients to $QQServerIPs
#block quick on $ext_if from $QQServerIPs to $QQDenyClients
#pass quick on $int_if inet proto tcp from $QQAllowClients port $QQports to $QQServerIPs port 443
#pass quick on $ext_if inet proto tcp from $QQServerIPs port 443 to $QQAllowClients port $QQports
#block quick on $int_if inet proto tcp from $QQDenyClients port $QQports to $QQServerIPs port 443
#block quick on $ext_if inet proto tcp from $QQServerIPs port 443 to $QQDenyClients port $QQports
# allow outgoing but block incomming ping/icmp-echo requests
pass out on $ext_if inet proto icmp all icmp-type 8 code 0 keep state
pass out on $edu_if inet proto icmp all icmp-type 8 code 0 keep state
#block in on $ext_if inet proto icmp all icmp-type 8 code 0 keep state
# pass out all UDP connections and keep state
pass out on $ext_if proto udp all keep state
pass out on $edu_if proto udp all keep state
# pass in certain UDP connections and keep state (DNS)
pass in on $ext_if proto udp from any to any port = domain keep state
pass in on $int_if proto udp from any to any port = domain keep state
pass in on $loop proto udp from any to any port = domain keep state
pass out on $ext_if proto udp from any to any port = domain keep state
pass out on $int_if proto udp from any to any port = domain keep state
pass out on $loop proto udp from any to any port = domain keep state
# pass out all TCP connections and modulate state
pass out on $ext_if proto tcp all modulate state
pass out on $edu_if proto tcp all modulate state
pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services flags S/SA keep state # ÔÊÔS tcp_services ¶¨Áx
pass in on $edu_if inet proto tcp from any to ($edu_if) port $tcp_services flags S/SA keep state # ÔÊÔS tcp_services ¶¨Áx
pass in on $ext_if proto tcp from any to 192.168.0.3 port 80 flags S/SA synproxy state # ׌ƒÈ²¿ comp3 µÄ 80 port ·þ„ÕÓÉ e
pass in on $edu_if proto tcp from any to 192.168.0.3 port 80 flags S/SA synproxy state # ׌ƒÈ²¿ comp3 µÄ 80 port ·þ„ÕÓÉ e
pass in inet proto icmp all icmp-type $icmp_types keep state # ÔÊÔS icmp ·â°üßMÈëͨÐÐ
pass in on $int_if from $intnet to any keep state # ÔÊÔS·â°üÓÉ de0 ßMµ½ 10.10.10.0/24 •³Í¨
pass out on $int_if from any to $intnet keep state # ÔÊÔS·â°üÓÉ de0 ³öÈ¥ 10.10.10.0/24 •³Í¨
pass out on $ext_if proto tcp all modulate state flags S/SA # ÔÊÔS tcp ·â°üÓÉ fxp0 ³öÈ¥
pass out on $edu_if proto tcp all modulate state flags S/SA # ÔÊÔS tcp ·â°üÓÉ fxp0 ³öÈ¥
pass out on $ext_if proto { udp, icmp } all keep state # ÔÊÔS udp , icmp ·â°üÓÉ fxp0 ³öÈ¥
pass out on $edu_if proto { udp, icmp } all keep state # ÔÊÔS udp , icmp ·â°üÓÉ fxp0 ³öÈ¥
pass in on $ext_if proto tcp from any to $ext_if port 22 keep state
pass in on $int_if proto tcp from any to $int_if port 22 keep state
#pass in on $edu_if proto tcp from any to $edu_if port 22 keep state
pass in on $ext_if proto tcp from any to $ext_if port 88 keep state
#pass in on $edu_if proto tcp from any to $edu_if port 88 keep state
pass in on $int_if proto tcp from any to $loop port 8021 keep state
pass in on $int_if proto tcp from any to $int_if port 8021 keep state
pass in on $int_if inet proto tcp from any to $routerip port 3128 keep state
radminServerIPs = "{192.168.0.3, 192.168.0.185, 192.168.0.253}"
pass in on $ext_if inet proto tcp from any to $radminServerIPs port 4899 flags S/SA keep state
pass in on $edu_if inet proto tcp from any to $radminServerIPs port 4899 flags S/SA keep state
pass in on $ext_if inet proto tcp from any to $InsideManagerIPs port $InsiteManagerOpenPorts flags S/SA keep state
pass in on $edu_if inet proto tcp from any to $InsideManagerIPs port $InsiteManagerOpenPorts flags S/SA keep state
pass in all
#pfctl -e -F all -f /etc/pf.conf
#pfctl -f /etc/pf.conf # ....pf.conf ...
#pfctl -nf /etc/pf.conf # .............
#pfctl -Nf /etc/pf.conf # ... NAT ....
#pfctl -Rf /etc/pf.conf # ............
#pfctl -sn # ..... NAT ...
#pfctl -sr # ..........
#pfctl -ss # ...........
#pfctl -si # ..............
#pfctl -sa # ............
ext_if="vlan1820" # replace with actual external interface name i.e., dc0
int_if="vlan1900" # replace with actual internal interface name i.e., dc1
edu_if="vlan1810"
zhigao_if="vlan1910"
intnet="192.168.0.0/16"
edunet="10.0.0.0/8"
external_addr="220.189.209.163"
routerip ="220.189.209.161"
loop = "127.0.0.1"
priv_nets = "{127.0.0.1/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 255.255.255.255/32}"
tcp_services = "80"
icmp_types ="echoreq"
InsideManagerIPs = "192.168.10.103"
InsiteManagerOpenPorts = "4899"
# Tables: similar to macros, but more flexible for many addresses.
#table <foo> { 10.0.0.0/8, !10.1.0.0/16, 192.168.0.0/24, 192.168.1.18 }
# Options: tune the behavior of pf, default values are given.
#set timeout { interval 10, frag 30 }
#set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
#set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
#set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
#set timeout { icmp.first 20, icmp.error 10 }
#set timeout { other.first 60, other.single 30, other.multiple 60 }
#set timeout { adaptive.start 0, adaptive.end 0 }
#set limit { states 10000, frags 5000 }
#set loginterface none
set optimization aggressive
scrub in all
#set optimization normal
#set block-policy drop
#set require-order yes
#set fingerprints "/etc/pf.os"
# Queueing: rule-based bandwidth control.
#altq on $ext_if bandwidth 2Mb cbq queue { dflt, developers, marketing }
#queue dflt bandwidth 5% cbq(default)
#queue developers bandwidth 80%
#queue marketing bandwidth 15%
# Translation: specify how addresses are to be mapped or redirected.
# nat: packets going out through $ext_if with source address $internal_net will
# get translated as coming from the address of $ext_if, a state is created for
# such packets, and incoming packets will be redirected to the internal address.
nat on $ext_if from $intnet to any -> ($ext_if)
nat on $edu_if from $intnet to any -> ($edu_if)
# rdr: packets coming in on $ext_if with destination $external_addr:1234 will
# be redirected to 10.1.1.1:5678. A state is created for such packets, and
# outgoing packets will be translated as coming from the external address.
#rdr on $ext_if proto tcp from any to $external_addr/32 port 1234 -> 10.1.1.1 port 5678
#rdr on $int_if inet proto tcp from 192.168.0.0/16 to any port www -> 127.0.0.1 port 3128
rdr pass on $ext_if proto tcp from any to $ext_if port www -> 192.168.0.3 port www
rdr pass on $edu_if proto tcp from any to $edu_if port www -> 192.168.0.3 port www
rdr pass on $ext_if proto tcp from any to $ext_if port ftp -> 192.168.0.3 port ftp
rdr pass on $edu_if proto tcp from any to $edu_if port ftp -> 192.168.0.3 port ftp
rdr pass on $ext_if proto tcp from any to $ext_if port 4893 -> 192.168.0.3 port 4899
pass in on $int_if inet proto tcp from any to 192.168.0.2 port 3128 keep state
pass out on $ext_if inet proto tcp from any to any port www keep state
# rdr outgoing FTP requests to the ftp-proxy
#rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021
# spamd-setup puts addresses to be redirected into table <spamd>.
#table <spamd> persist
#no rdr on { lo0, lo1 } from any to any
#rdr inet proto tcp from <spamd> to any port smtp -> 127.0.0.1 port 8025
# Filtering: the implicit first two rules are
#pass in all
#pass out all
# block all incoming packets but allow ssh, pass all outgoing tcp and udp
# connections and keep state, logging blocked packets.
#block in all
pass in on $ext_if proto tcp from any to $ext_if port 22 keep state
pass in on $edu_if proto tcp from any to $edu_if port 22 keep state
pass in on $int_if proto tcp from any to $int_if port 22 keep state
pass out on $ext_if proto { tcp, udp } all keep state
pass out on $edu_if proto { tcp, udp } all keep state
#pass all on $int_if all
# pass incoming packets destined to the addresses given in table <foo>.
#pass in on $ext_if proto { tcp, udp } from any to <foo> port 80 keep state
# pass incoming ports for ftp-proxy
#pass in on $ext_if inet proto tcp from any to $ext_if user proxy keep state
# assign packets to a queue.
#pass out on $ext_if from 192.168.0.0/24 to any keep state queue developers
#pass out on $ext_if from 192.168.1.0/24 to any keep state queue marketing
#block all
pass in quick on $int_if all
pass out quick on $int_if all
pass in quick on $loop all
pass out quick on $loop all # ÔÊÔS localhost ·â°üͨÐÐ
block in quick on $ext_if inet from $priv_nets to any
#block in log quick on $ext inet from any to $priv_nets
LSassVirusPort = "{445, 135, 139, 593, 1433, 5554, 9996, 9995}"
block quick on $ext_if inet proto tcp from any to any port $LSassVirusPort
block quick on $edu_if inet proto tcp from any to any port $LSassVirusPort
block quick on $zhigao_if inet proto tcp from any to any port $LSassVirusPort
#gameClientPorts = "{4002, 2000, 3838, 4410, 4210, 4230, 5005, 4290, 10010 }"
#GameDenyClients ="{192.168.1.0/24, 192.168.0.0/24, 192.168.20.0/24, 192.168.21.0/24}"
#GameServerIps = "{204.251.15.167, 61.152.93.145}"
#block quick on $int_if inet proto tcp from $GameDenyClients to any port $gameClientPorts
#block quick on $ext_if from $GameServerIps to $GameDenyClients
#block quick on $int_if from $GameDenyClients to $GameServerIps
#LSassVirusIp ="{192.168.0.165}"
#block quick on $int_if from $LSassVirusIp to any
#SoftRegistry = "{66.40.33.130, 218.242.90.0/24, 61.228.35.0/24, 61.175.171.12}"
#block quick on $ext_if from $SoftRegistry to any
#block quick on $int_if from any to $SoftRegistry
#AdServers3721 = "{60.191.5.128/27, 218.244.45.0/24, 218.244.44.0/24, 219.235.39.0/24, 202.43.217.107, \
#202.43.217.108, 61.135.128.211, 61.135.128.212, cns.3721.net, cns.3721.com }"
#block quick on $ext_if from $AdServers3721 to any
#block quick on $int_if from any to $AdServers3721
#kuroIPs ="{61.135.156.198/24}"
#block quick on $ext_if from $kuroIPs to $GameDenyClients
#block quick on $int_if from $GameDenyClients to $kuroIPs
#SinaAdsIPs = "{ad2.sina.com.cn, ad3.sina.com.cn, ad4.sina.com.cn, 101.adsina.allyes.com}"
#block quick on $ext_if from $SinaAdsIPs to any
#block quick on $int_if from any to $SinaAdsIPs
#NeteasePopoIPs="{202.108.42.183, 202.108.42.170, 202.108.42.173, 202.108.42.175, 202.108.42.174}"
#PopoDenyClients="{192.168.3.0/24, 192.168.4.0/24, 192.168.6.0/24, 192.168.7.0/24}"
#block quick on $ext_if from $NeteasePopoIPs to $PopoDenyClients
#block quick on $int_if from $PopoDenyClients to $NeteasePopoIPs
#NeteasePaopaotangIPs="{61.172.247.86, 61.172.249.243, 218.80.109.159, 61.147.251.58, 61.187.207.245, \
#61.242.158.167, 61.152.97.147, 61.172.254.142, 61.172.249.242, 210.51.29.24/24, 211.152.178.73, \
#218.6.246.68, 218.77.10.135, 218.64.68.51, 218.65.0.218, 221.12.10.42}"
#block quick on $ext_if from $NeteasePaopaotangIPs to $GameDenyClients
#block quick on $int_if from $GameDenyClients to $NeteasePaopaotangIPs
#jlonline="{61.177.56.251, 61.132.74.81, 61.132.74.244, 61.152.93.145}"
#block quick on $ext_if from $jlonline to $GameDenyClients
#block quick on $int_if from $GameDenyClients to $jlonline
#ourgame="{202.108.36.77, 218.30.70.76, 61.151.253.182, 218.25.253.163, 61.183.254.69}"
#block quick on $ext_if from $ourgame to $GameDenyClients
#block quick on $int_if from $GameDenyClients to $ourgame
#mu="{210.51.27.121/24, 61.129.93.100, 61.129.93.101, 61.129.93.102, 61.129.93.103, \
#61.129.93.104, 61.129.93.105, 61.129.93.106, 61.129.93.107, 61.129.93.108, 61.129.93.109, 61.129.93.110}"
#block quick on $ext_if from $mu to 192.168.0.0/20
#block quick on $int_if from 192.168.0.0/20 to $mu
#XIPs="{67.19.37.168, 67.19.37.168}"
#block quick on $ext_if from $XIPs to 192.168.0.0/20
#block quick on $int_if from 192.168.0.0/20 to $XIPs
#chinagames = "{61.128.193.113, 61.132.112.196, 61.132.118.35, 61.134.4.243, 61.136.63.65, 61.136.63.66, \
#61.136.63.68, 61.136.63.71, 61.138.15.105, 61.138.15.112, 61.138.15.114, 61.139.76.86, \
#61.139.77.110, 61.144.56.30, 61.144.56.34, 61.144.56.7, 61.153.17.8, 61.153.19.101, \
#61.153.19.102, 61.153.19.120, 61.153.198.198, 61.153.198.199, 61.153.198.200, 61.153.24.134, \
#61.153.253.28, 61.153.3.114, 61.153.3.12, 61.153.3.124, 61.153.3.125, 61.153.3.20, \
#61.153.3.218, 61.153.3.89, 61.153.37.199, 61.153.37.222, 61.153.52.183, 61.153.52.184, \
#61.153.52.185, 61.153.8.188, 61.153.8.50, 61.153.8.51, 61.153.8.53, 61.153.8.54, 61.153.8.55, \
#61.153.8.56, 61.153.85.19, 61.156.12.28, 61.156.17.115, 61.158.97.35, 61.159.229.21, \
#61.166.155.166, 61.180.119.10, 61.241.130.59, 61.241.130.60, 61.243.222.25, 61.243.222.26, \
#61.243.222.27, 61.243.222.28, 61.243.232.20, 202.100.218.15, 202.101.10.119, 202.101.165.0/24, \
#202.101.165.166, 202.101.165.233, 202.101.165.234, 202.101.165.235, 202.101.165.237, 202.101.165.54, \
#202.101.165.55, 202.101.165.72, 202.102.197.5, 202.102.245.44, 202.102.29.210, 202.103.134.123, \
#202.103.134.172, 202.103.25.84, 202.106.182.120, 202.106.182.123, 202.106.186.17, 202.107.225.55, \
#202.107.225.56, 202.107.225.57, 202.107.234.34, 202.107.236.188, 202.107.236.190, 202.107.245.13, \
#202.107.245.7, 202.108.255.10, 202.108.255.120, 202.108.255.71, 202.108.255.72, 202.108.36.100, \
#202.108.36.102, 202.108.36.115, 202.108.36.116, 202.108.36.74, 202.108.36.76, 202.108.36.77, \
#202.108.36.91, 202.108.36.95, 202.108.36.96, 202.108.36.97, 202.113.15.66, 202.96.108.19, \
#202.96.112.57, 202.96.113.20, 202.96.114.245, 202.96.75.247, 202.97.174.244, 202.97.181.87, \
#202.98.111.2, 202.98.228.144, 202.98.9.109, 202.99.160.120, 202.99.160.121, 202.99.160.36, \
#202.99.160.57, 202.99.168.34, 202.99.171.162, 202.99.219.238, 209.10.17.133, 209.73.225.7, \
#210.51.248.61, 210.52.2.149, 210.52.27.9, 210.52.77.60, 210.76.59.199, 210.78.159.151, \
#210.78.159.200, 210.83.127.14, 210.83.130.32, 210.83.130.54, 210.83.130.71, 211.140.137.125, \
#210.78.159.200, 210.83.127.14, 210.83.130.32, 210.83.130.54, 210.83.130.71, 211.140.137.125, \
#211.144.9.17, 211.144.9.19, 211.144.9.22, 211.144.9.26, 211.144.9.30, 211.158.10.16, 211.163.117.30, \
#211.167.148.203, 211.167.98.6, 211.90.184.52, 211.90.241.37, 211.90.241.38, 211.90.241.39, 211.90.241.40, \
#211.91.13.51, 211.91.13.52, 211.91.135.67, 211.91.2.57, 211.91.255.130, 211.93.24.31, 211.93.64.2, \
#211.93.64.3, 211.93.64.4, 211.93.64.5, 211.95.129.152, 211.98.149.118, 218.104.136.6, 218.104.136.6, \
#218.104.45.2, 218.106.206.158, 218.106.241.247, 218.244.44.10, 218.244.46.2, 218.25.230.10, 218.27.190.91, \
#218.27.4.52, 218.57.200.21, 218.66.101.14, 218.7.160.71, 218.75.79.0/24, 218.75.79.189, 218.75.79.190, \
#218.95.255.174, 219.133.44.0/24, 219.133.45.0/24, 219.133.46.0/24, 219.133.47.0/24, 219.146.1.208, 220.184.25.54}"
#block quick on $int_if from $GameDenyClients to $chinagames
#block quick on $ext_if from $chinagames to $GameDenyClients
#QQServerIPs = "{202.103.149.40, 202.103.190.61, 202.104.129.151, 202.104.129.242, 202.104.129.246, \
#202.104.129.251, 202.104.129.252, 202.104.129.253, 202.104.129.254, 202.96.170.163, 202.96.170.164, \
#202.96.170.165, 202.96.170.166, 202.96.170.175, 202.96.170.188, 211.157.38.38 , 218.17.209.23, \
#218.17.209.42, 218.17.217.103, 218.17.217.106, 218.18.95.140, 218.18.95.153, 218.18.95.165, \
#218.18.95.171, 218.18.95.209, 218.18.95.221, 219.133.40.15, 219.133.40.157, 219.133.40.177, \
#219.133.40.189, 219.133.40.21, 219.133.40.216, 219.133.40.73, 219.133.40.89, 219.133.40.90, \
#219.133.40.92, 219.133.40.95, 219.133.40.97, 219.133.45.15, 61.135.131.240, 61.141.194.200, \
#61.141.194.203, 61.141.194.224, 61.141.194.227, 61.141.194.231, 61.144.238.137, 61.144.238.145, \
#61.144.238.146, 61.144.238.149, 61.144.238.150, 61.144.238.151, 61.144.238.155, 61.144.238.156, \
#61.172.249.135, 65.54.229.253, 219.133.40.0/24}"
#QQDenyClients = "{192.168.20.0/24, 192.168.21.0/24}"
#QQAllowClients = "{192.168.0.0/24, 192.168.1.0/24, 192.168.2.0/24, 192.168.3.0/24}"
#pass quick on $int_if from $QQAllowClients to $QQServerIPs
#pass quick on $ext_if from $QQServerIPs to $QQAllowClients
#block quick on $int_if from $QQDenyClients to $QQServerIPs
#block quick on $ext_if from $QQServerIPs to $QQDenyClients
#pass quick on $int_if inet proto tcp from $QQAllowClients port $QQports to $QQServerIPs port 443
#pass quick on $ext_if inet proto tcp from $QQServerIPs port 443 to $QQAllowClients port $QQports
#block quick on $int_if inet proto tcp from $QQDenyClients port $QQports to $QQServerIPs port 443
#block quick on $ext_if inet proto tcp from $QQServerIPs port 443 to $QQDenyClients port $QQports
# allow outgoing but block incomming ping/icmp-echo requests
pass out on $ext_if inet proto icmp all icmp-type 8 code 0 keep state
pass out on $edu_if inet proto icmp all icmp-type 8 code 0 keep state
#block in on $ext_if inet proto icmp all icmp-type 8 code 0 keep state
# pass out all UDP connections and keep state
pass out on $ext_if proto udp all keep state
pass out on $edu_if proto udp all keep state
# pass in certain UDP connections and keep state (DNS)
pass in on $ext_if proto udp from any to any port = domain keep state
pass in on $int_if proto udp from any to any port = domain keep state
pass in on $loop proto udp from any to any port = domain keep state
pass out on $ext_if proto udp from any to any port = domain keep state
pass out on $int_if proto udp from any to any port = domain keep state
pass out on $loop proto udp from any to any port = domain keep state
# pass out all TCP connections and modulate state
pass out on $ext_if proto tcp all modulate state
pass out on $edu_if proto tcp all modulate state
pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services flags S/SA keep state # ÔÊÔS tcp_services ¶¨Áx
pass in on $edu_if inet proto tcp from any to ($edu_if) port $tcp_services flags S/SA keep state # ÔÊÔS tcp_services ¶¨Áx
pass in on $ext_if proto tcp from any to 192.168.0.3 port 80 flags S/SA synproxy state # ׌ƒÈ²¿ comp3 µÄ 80 port ·þ„ÕÓÉ e
pass in on $edu_if proto tcp from any to 192.168.0.3 port 80 flags S/SA synproxy state # ׌ƒÈ²¿ comp3 µÄ 80 port ·þ„ÕÓÉ e
pass in inet proto icmp all icmp-type $icmp_types keep state # ÔÊÔS icmp ·â°üßMÈëͨÐÐ
pass in on $int_if from $intnet to any keep state # ÔÊÔS·â°üÓÉ de0 ßMµ½ 10.10.10.0/24 •³Í¨
pass out on $int_if from any to $intnet keep state # ÔÊÔS·â°üÓÉ de0 ³öÈ¥ 10.10.10.0/24 •³Í¨
pass out on $ext_if proto tcp all modulate state flags S/SA # ÔÊÔS tcp ·â°üÓÉ fxp0 ³öÈ¥
pass out on $edu_if proto tcp all modulate state flags S/SA # ÔÊÔS tcp ·â°üÓÉ fxp0 ³öÈ¥
pass out on $ext_if proto { udp, icmp } all keep state # ÔÊÔS udp , icmp ·â°üÓÉ fxp0 ³öÈ¥
pass out on $edu_if proto { udp, icmp } all keep state # ÔÊÔS udp , icmp ·â°üÓÉ fxp0 ³öÈ¥
pass in on $ext_if proto tcp from any to $ext_if port 22 keep state
pass in on $int_if proto tcp from any to $int_if port 22 keep state
#pass in on $edu_if proto tcp from any to $edu_if port 22 keep state
pass in on $ext_if proto tcp from any to $ext_if port 88 keep state
#pass in on $edu_if proto tcp from any to $edu_if port 88 keep state
pass in on $int_if proto tcp from any to $loop port 8021 keep state
pass in on $int_if proto tcp from any to $int_if port 8021 keep state
pass in on $int_if inet proto tcp from any to $routerip port 3128 keep state
radminServerIPs = "{192.168.0.3, 192.168.0.185, 192.168.0.253}"
pass in on $ext_if inet proto tcp from any to $radminServerIPs port 4899 flags S/SA keep state
pass in on $edu_if inet proto tcp from any to $radminServerIPs port 4899 flags S/SA keep state
pass in on $ext_if inet proto tcp from any to $InsideManagerIPs port $InsiteManagerOpenPorts flags S/SA keep state
pass in on $edu_if inet proto tcp from any to $InsideManagerIPs port $InsiteManagerOpenPorts flags S/SA keep state
pass in all