# Dirk van Deun 2004, dirk at dinf.vub.ac.be

ext_if="xl0"
int_if="fxp0"

# the internal addresses allowed outside connections
table <loggedin> persist

# the DNS servers
table <dns> { 134.184.15.13, 164.15.59.200 }

# http traffic is redirected to the login page if you are not logged in
rdr on $int_if proto tcp from ! <loggedin> to port http -> 127.0.0.1 port http
rdr on $int_if proto tcp from ! <loggedin> to port https -> 127.0.0.1 port https

# address translation for clients that are logged in
nat on $ext_if from <loggedin> -> ($ext_if)

# allow even clients that are not logged in yet to use the DNS servers
nat on $ext_if to <dns> port domain -> ($ext_if)

# the usual ftp proxy hack (enable the proxy in /etc/inetd.conf)
rdr on $int_if proto tcp from <loggedin> to port ftp -> 127.0.0.1 port 8021

# protect the NAT/firewall itself against unwanted connections
block in on $ext_if
pass in on $ext_if proto icmp
pass in on $ext_if proto tcp to $ext_if port ssh
pass in on $ext_if proto tcp to $ext_if port http

# allowed protocols for the internal clients
block in on $int_if
pass in quick on $int_if proto tcp to port domain keep state
pass in quick on $int_if proto udp to port domain keep state
pass in quick on $int_if proto tcp to port http keep state
pass in quick on $int_if proto tcp to port https keep state
block in quick on $int_if from ! <loggedin>
pass in on $int_if proto icmp
pass in on $int_if proto udp to port bootps keep state #dhcp
pass in on $int_if proto udp to port ntp keep state
pass in on $int_if proto tcp to port ftp keep state
pass in on $int_if proto tcp to port 8021 keep state #ftp-proxy
pass in on $int_if proto tcp to port pop3 keep state
pass in on $int_if proto tcp to port pop3s keep state
pass in on $int_if proto tcp to port imap keep state
pass in on $int_if proto tcp to port imaps keep state
pass in on $int_if proto tcp to port ssh keep state
pass in on $int_if proto tcp to port telnet keep state
pass in on $int_if proto tcp to port smtp keep state
pass in on $int_if proto tcp to port submission keep state
pass in on $int_if proto tcp to port gopher keep state
pass in on $int_if proto tcp to port sftp keep state
pass in on $int_if proto tcp to port mysql keep state
pass in on $int_if proto tcp to port rsync keep state
pass in on $int_if proto tcp to port 16286 keep state #mathlm
pass in on $int_if proto tcp to port nntp keep state
pass in on $int_if proto tcp to port postgresql keep state
pass in on $int_if proto tcp to port 2628 keep state #dict.org
pass in on $int_if proto tcp to port 465 keep state #smtps
pass in on $int_if proto tcp to port 614 keep state #sshell
pass in on $int_if proto tcp to port 992 keep state #telnets
pass in on $int_if proto tcp to port { 989,990 } keep state #ftps
pass in on $int_if proto tcp to port 1863 keep state #msn
pass in on $int_if proto tcp to port 5190 keep state #icq

# pass ftp-proxy traffic
pass in on $ext_if user proxy keep state
pass in on $int_if user proxy keep state

# provide state to outside connections originating on the firewall itself
pass out on $ext_if proto { tcp, udp } keep state
pass out on $int_if proto { tcp, udp } keep state