Technical data
3. Base configuration
PF_FORWARD_POLICY='REJECT'
PF_FORWARD_ACCEPT_DEF='yes'
PF_FORWARD_LOG='no'
PF_FORWARD_N='2'
PF_FORWARD_1='if:any:pppoe tmpl:samba DROP'
PF_FORWARD_2='192.168.6.0/23 ACCEPT'
PF_POSTROUTING_N='1'
PF_POSTROUTING_1='if:any:pppoe MASQUERADE'
Packets going out over the pppoe-interface and those addressed to udp-ports 137-138 or to
tcp-ports 139 and 445 will be dropped (rule 1), all other packets from subnet 192.168.6.0/23
will be forwarded (rule 2).
Route Network
Let’s add a net 10.0.0.0/24 (i.e. a dial-in network) which we want to communicate with
unmasked, but packets to udp-ports 137-138 and to tcp-Ports 139 and 445 should be dropped:
PF_FORWARD_POLICY='REJECT'
PF_FORWARD_ACCEPT_DEF='yes'
PF_FORWARD_LOG='no'
PF_FORWARD_N='4'
PF_FORWARD_1='IP_NET_1 IP_NET_2 ACCEPT BIDIRECTIONAL'
PF_FORWARD_2='tmpl:samba DROP'
PF_FORWARD_3='192.168.6.0/23 ACCEPT'
PF_FORWARD_4='10.0.0.0/24 ACCEPT'
PF_POSTROUTING_N='2'
PF_POSTROUTING_1='10.0.0.0/24 ACCEPT BIDIRECTIONAL'
PF_POSTROUTING_2='192.168.6.0/23 MASQUERADE'
• rule 1 allows unrestricted communication between the subnets IP_NET_1 and IP_NET_2.
• rule 2 drops packets to the samba ports.
• rule 3 and 4 allow forwarding of packets orginating from the subnets 192.168.6.0/24,
192.168.7.0/24 and 10.0.0.0/24; the reverse direction is included by writing
PF_FORWARD_ACCEPT_DEF='yes'.
• rule 1 of the POSTROUTING-chain ensures that packets to resp. from the subnet 10.0.0.0/24-
Subnetz are not masked.
An alternative:
PF_POSTROUTING_N='1'
PF_POSTROUTING_1='if:any:pppoe MASQUERADE'
This rule enables masking only for packets going out over the pppoe-interface.
60