Technical data

3. Base conﬁguration

prot:tcp 22

prot:tcp 25

prot:udp 137-138

prot:tcp 139

prot:tcp 445

Every time you use the template vpn_friends rules will be created for all contained protocols

and ports. PF_FORWARD_x='tmpl:vpn_friends ACCEPT' will create theses FORWARD-rules:

prot:tcp 22 ACCEPT

prot:tcp 25 ACCEPT

53 ACCEPT

prot:udp 137-138 ACCEPT

prot:tcp 139 ACCEPT

prot:tcp 445 ACCEPT

3.10.4. Conﬁguration Of The Packet Filter

The packet ﬁlter is mainly conﬁgured by four array-variables:

• PF_INPUT_% conﬁgures the INPUT-chain,

• PF_FORWARD_% conﬁgures the FORWARD-chain,

• PF_OUTPUT_% conﬁgures the OUTPUT-chain,

• PF_PREROUTING_% conﬁgures the PREROUTING-chain and

• PF_POSTROUTING_% conﬁgures the POSTROUTING-chain.

For all chains following applies the setting of the protocol level in PF_LOG_LEVEL, which may

be set to one of these values: debug, info, notice, warning, err, crit, alert, emerg.

Then INPUT-Chain

The INPUT-chain deﬁnes who is allowed to access the router. If no rule of the INPUT-chain

matches, the default action handles the packet and the protocol variable decides wheter a

rejection will be written to the system-protocol or not.

The following restrictions apply to the parameters:

• Only ACCEPT, DROP and REJECT can be speciﬁed as actions.

• If using interface constraints only the receiving interface can be restricted.

PF_INPUT_POLICY This variable describes the default action to be taken if no other rule

applies. Possible values:

• ACCEPT (not recommended)

• REJECT

• DROP (not recommended)