Technical data
3. Base configuration
Blacklists, Whitelists
Blacklists (a machine in this list is forbidden to do something) and Whitelists (a machine in
this list is allowed to do something) are defined in a very similarl way. Rules are written that
are very special at the beginning and to the end are becoming more universal. With a blacklist
rules are defined that at the beginning forbid something and at the end allow something to all
not previously mentioned. With a Whitelist it is exactly the other way round.
Example 1: All machines in subnet 192.168.6.0/24 except number 12 are allowed to access the
Internet as long as they don’t use CIFS Ports 137-138 (udp), 139 and 445 (tcp) to communicate:
PF_FORWARD_POLICY='REJECT'
PF_FORWARD_ACCEPT_DEF='yes'
PF_FORWARD_LOG='no'
PF_FORWARD_N='3'
PF_FORWARD_1='192.168.6.12 DROP'
PF_FORWARD_2='tmpl:samba DROP'
PF_FORWARD_3='192.168.6.0/23 ACCEPT'
PF_POSTROUTING_N='1'
PF_POSTROUTING_2='192.168.6.0/24 MASQUERADE'
Example 2: Only machine 12 has Internet access (with exception of the ports mentioned
above. . . ), all others are only allowed to communicate with another local subnet:
PF_FORWARD_POLICY='REJECT'
PF_FORWARD_ACCEPT_DEF='yes'
PF_FORWARD_LOG='no'
PF_FORWARD_N='3'
PF_FORWARD_1='192.168.6.0/24 192.168.7.0/24 ACCEPT BIDIRECTIONAL'
PF_FORWARD_2='tmpl:samba DROP'
PF_FORWARD_3='192.168.6.12 ACCEPT'
PF_POSTROUTING_N='1'
PF_POSTROUTING_1='if:any:pppoe MASQUERADE'
3.10.6. Default Configurations
Simple Router Masking A Net Behind Itself
#
# Access to the router
#
PF_INPUT_POLICY='REJECT'
PF_INPUT_ACCEPT_DEF='yes'
PF_INPUT_LOG='no'
PF_INPUT_N='1'
PF_INPUT_1='IP_NET_1 ACCEPT' # all hosts of the local net are allowed
# to access the router
#
# Internet access
#
61