# macros:
int_if="vic0"
ext_if="vic1"
dmz_if="vic2"
#mng_if="vic3"

int_net=$int_if:network
dmz_net=$dmz_if:network
#mng_net=$mng_if:network

#dmz_web_server="10.10.20.20"
#dmz_ftp_server="10.10.20.20"

# tables:
table <firewall> const { self }
table <lan_net> const { self, $int_net, $dmz_net }
#table <lan_net> const { self, $int_net, $dmz_net, $mng_net }


# don't filter on the loopback interface
set skip on lo

# scrub incoming packets
scrub in


# nat table begin:

#nat pass on $ext_if -> ($ext_if:0)

#nat-anchor "ftp-proxy/*"
#rdr-anchor "ftp-proxy/*"
# in --> out.ftp
#rdr pass on $int_if proto tcp to !<lan_net> port ftp -> 127.0.0.1 port 8021
# in --> dmz.ftp
#rdr pass on $int_if proto tcp to $dmz_net port ftp -> 127.0.0.1 port 8021
# dmz <-- out
# https(s)
#rdr on $ext_if proto tcp to $ext_if port www -> $dmz_web_server
#rdr on $ext_if proto tcp to $ext_if port https -> $dmz_web_server
# ftp (see filter section)

# nat table end.


# filter table begin:

#anchor "ftp-proxy/*"

# block spoofed packtes
antispoof quick for { lo $int_if $dmz_if }
#antispoof quick for { lo $int_if $dmz_if $mng_if }

# setup a default deny policy
block all

# enable I access anywhere(disabled!!!)
#pass out from <firewall> to any

# enable ssh for management in int_if,mng_if
pass in quick on $int_if proto tcp to <firewall> port ssh
#pass in quick on $mng_if proto tcp to <firewall> port ssh

# enable LAN pine me
pass in quick on $int_if inet proto icmp to <firewall> icmp-type echoreq
pass in quick on $dmz_if inet proto icmp to <firewall> icmp-type echoreq
#pass in quick on $mng_if inet proto icmp to <firewall> icmp-type echoreq

# enable dns query in int_if
#pass in quick on $int_if proto udp to $int_if port domain

# in --> out
# ping
#pass in quick on $int_if inet proto icmp to !<lan_net> icmp-type echoreq
# http(s)
#pass in quick on $int_if proto tcp to !<lan_net> port www
#pass in quick on $int_if proto tcp to !<lan_net> port https
# ftp (see nat section)

# in --> dmz
# ping
#pass in quick on $int_if inet proto icmp to $dmz_net icmp-type echoreq
#pass out quick on $dmz_if inet proto icmp from $int_net icmp-type echoreq
# http(s)
#pass in quick on $int_if proto tcp to $dmz_net port www
#pass out quick on $dmz_if proto tcp from $int_net to port www
#pass in quick on $int_if proto tcp to $dmz_net port https
#pass out quick on $dmz_if proto tcp from $int_net to port https
# ftp (see nat section and below)
#pass out quick on $dmz_if proto tcp from $dmz_if to port ftp

# dmz <-- out
# http(s)
#pass in quick on $ext_if proto tcp to $dmz_web_server port www synproxy state
#pass out quick on $dmz_if proto tcp from !<lan_net> to $dmz_web_server port www
#pass in quick on $ext_if proto tcp to $dmz_web_server port https synproxy state
#pass out quick on $dmz_if proto tcp from !<lan_net> to $dmz_web_server port https
# ftp
#pass in quick on $ext_if proto tcp to $ext_if port ftp
#pass out quick on $dmz_if proto tcp from !<lan_net> to $dmz_ftp_server port ftp user proxy

# filter table end.