ext_if="lagg0"
int_if_1="vlan11"
int_if_2="vlan12"
dst_nat1="109.xx.177.0/25"
dst_nat2="109.xx.177.128/25"
table persist file "/etc/pf.src-nat"
#table persist { www.moby-money.ru }
table persist { }
set limit { states 10000000, frags 800000, src-nodes 100000, table-entries 500000}
set state-policy if-bound
set optimization aggressive
set ruleset-optimization profile
set timeout { frag 10, tcp.established 3600, src.track 30 }
set block-policy drop
set fingerprints "/etc/pf.os"
set require-order no
set skip on {lo0, em0}
# Normalization: reassemble fragments and resolve or reduce traffic ambiguities.
scrub in all max-mss 1480 fragment reassemble
# Tagging
pass in quick on $int_if_1 all allow-opts tag NAT1 label "$nr:NAT1" no state
pass in quick on $int_if_2 all allow-opts tag NAT2 label "$nr:NAT2" no state
binat-anchor "binat"
load anchor "binat" from "/etc/pf.anchor.binat"
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
# BFD pass-throught
rdr pass on $int_if_1 proto tcp from to any port 21 -> 127.0.0.1 port 8021
rdr pass on $int_if_2 proto tcp from to any port 21 -> 127.0.0.1 port 8021
rdr pass on $ext_if proto udp from 109.xx.176.0 to 109.xx.176.1 port 4784 -> 10.78.76.0 port 4784
# Dynamic NAT
nat on $ext_if from to any tagged NAT1 -> $dst_nat1 static-port sticky-address
nat on $ext_if from to any tagged NAT2 -> $dst_nat2 static-port sticky-address
nat on $ext_if from any to -> $dst_nat1 static-port sticky-address
# Public services addresses
binat on $ext_if from 10.78.78.2 to any -> 93.xx.199.252
anchor "ftp-proxy/*"
pass out quick proto tcp from any to any port 21 no state
#GRE
pass quick on $ext_if proto gre all no state
# pfctl -si
No ALTQ support in kernel
ALTQ related functions disabled
Status: Enabled for 18 days 04:24:31 Debug: Urgent
State Table Total Rate
current entries 70467
searches 139246893392 88631.8/s
inserts 1443538289 918.8/s
removals 1443470553 918.8/s
Counters
match 71558283115 45547.5/s
bad-offset 0 0.0/s
fragment 243783 0.2/s
short 11668 0.0/s
normalize 89847 0.1/s
memory 0 0.0/s
bad-timestamp 0 0.0/s
congestion 0 0.0/s
ip-option 407 0.0/s
proto-cksum 0 0.0/s
state-mismatch 1391800 0.9/s
state-insert 583113 0.4/s
state-limit 2 0.0/s
src-limit 0 0.0/s
synproxy 0 0.0/s
![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png)
timeasmymeasure
no subject
Date: 2012-05-06 07:04 pm (UTC)ext_if="lagg0" int_if_1="vlan11" int_if_2="vlan12" dst_nat1="109.xx.177.0/25" dst_nat2="109.xx.177.128/25" table persist file "/etc/pf.src-nat" #table persist { www.moby-money.ru } table persist { } set limit { states 10000000, frags 800000, src-nodes 100000, table-entries 500000} set state-policy if-bound set optimization aggressive set ruleset-optimization profile set timeout { frag 10, tcp.established 3600, src.track 30 } set block-policy drop set fingerprints "/etc/pf.os" set require-order no set skip on {lo0, em0} # Normalization: reassemble fragments and resolve or reduce traffic ambiguities. scrub in all max-mss 1480 fragment reassemble # Tagging pass in quick on $int_if_1 all allow-opts tag NAT1 label "$nr:NAT1" no state pass in quick on $int_if_2 all allow-opts tag NAT2 label "$nr:NAT2" no state binat-anchor "binat" load anchor "binat" from "/etc/pf.anchor.binat" nat-anchor "ftp-proxy/*" rdr-anchor "ftp-proxy/*" # BFD pass-throught rdr pass on $int_if_1 proto tcp from to any port 21 -> 127.0.0.1 port 8021 rdr pass on $int_if_2 proto tcp from to any port 21 -> 127.0.0.1 port 8021 rdr pass on $ext_if proto udp from 109.xx.176.0 to 109.xx.176.1 port 4784 -> 10.78.76.0 port 4784 # Dynamic NAT nat on $ext_if from to any tagged NAT1 -> $dst_nat1 static-port sticky-address nat on $ext_if from to any tagged NAT2 -> $dst_nat2 static-port sticky-address nat on $ext_if from any to -> $dst_nat1 static-port sticky-address # Public services addresses binat on $ext_if from 10.78.78.2 to any -> 93.xx.199.252 anchor "ftp-proxy/*" pass out quick proto tcp from any to any port 21 no state #GRE pass quick on $ext_if proto gre all no state# pfctl -si