Annotated Example Pf.conf File
## Macros # The internal interface (connected to the local network). int_if="xl0" ## Options # Set the default policy to return RSTs or ICMPs for blocked traffic. set block-policy return # Ignore the loopback interface entirely. set skip on lo0 ## Translation rules # NAT traffic on the interface in the default egress interface group (to # which the interface out of which the default route goes is assigned) from the # local network. match out on egress from $int_if:network to any nat-to (egress) ## Filtering rules # Default deny rule, with all blocked packets logged. block log all # Pass all traffic to and from the local network, using quick so that later # rules are not evaluated if a packet matches this. Some rulesets would restrict # local traffic much further. pass quick on $int_if all # Permit all traffic going out, keep state so that replies are automatically passed; # many rulesets would have many rules here, restricting traffic in and out on the # external (egress) interface. (keep state is not needed in the newest version of pf) pass out keep stateRead more about this topic: PF (firewall)
Famous quotes containing the word file:
“I have been a soreheaded occupant of a file drawer labeled “Science Fiction” ... and I would like out, particularly since so many serious critics regularly mistake the drawer for a urinal.”
—Kurt Vonnegut, Jr. (b. 1922)