# TODO: ipv6 RFC 6296 - Network Prefix Translation? # match out on $ext_if inet6 from fd00:db8::/48 binat-to 2001:db8::/48 # TODO: Maybe ipv6 icmp rules from https://oneuptime.com/blog/post/2026-03-20-configure-ipv6-firewall-pf-freebsd/view # # restricted_nat 10.215.2.1/24 # jail_nat 10.215.1.1/24 # # # External connections -> 172.16.16.32:8081 # rdr to bastion 10.215.1.217 # snat to bridge? # ext_if = "{ igb0 igb1 ix0 ix1 wlan0 }" not_ext_if = "{ !igb0 !igb1 !ix0 !ix1 !wlan0 }" rfc1918 = "{ 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 }" dhcp = "{ bootpc, bootps }" allow = "{ wgh wgf }" tcp_pass_in = "{ 22 }" udp_pass_in = "{ 53 51820 }" # Rules must be in order: options, normalization, queueing, translation, filtering # options set skip on lo # normalization # queueing # translation nat pass on $ext_if proto {tcp, udp} tagged NATOUT -> (wlan0) nat pass on restricted_nat proto {tcp, udp} tagged NATRESTRICTED -> (restricted_nat) nat pass on jail_nat proto {tcp, udp} tagged NATJAIL -> (jail_nat) # external -> bastion rdr pass on $ext_if proto {tcp, udp} from any to (wlan0) port 8081 tag NATJAIL -> 10.215.1.217 port 443 # external -> sftp rdr pass on $ext_if proto {tcp, udp} from any to (wlan0) port 8022 tag NATJAIL -> 10.215.1.216 port 22 # filtering block log all pass out on $ext_if from (wlan0) # We pass on the interfaces listed in allow rather than skipping on # them because changes to pass rules will update when running a # `service pf reload` but interfaces that we `skip` will not update (I # forget if its from adding, removing, or both. TODO: test to figure # it out) pass quick on $allow pass on $ext_if proto icmp all pass on $ext_if proto icmp6 all pass in on $ext_if proto tcp to (wlan0) port $tcp_pass_in pass in on $ext_if proto udp to (wlan0) port $udp_pass_in # Allow DNS and wireguard from cloak pass in on restricted_nat proto {udp, tcp} from 10.215.2.2 to any port { 53 51820 } tag NATOUT # bastion -> cloak pass in on jail_nat proto {udp, tcp} from 10.215.1.217 to 10.215.2.2 port 8081 tag NATRESTRICTED