pf.conf below allows NAT connection to jail if you have any. Below configuration worked for me. To monitor using pflog0, refer to the example below.
Update
PF is a good firewall solution for FreeBSD. It was first appeared in OpenBSD, then ported to FreeBSD and other platforms such as Blackberry. In order to run PF in FreeBSD there are few things you need to do, that is to make sure following two kernel modules are loaded into the kernel. - pf.ko - pflog.ko
To load a kernel module, in FreeBSD: kldload pf.ko kldload pflog.ko
To view loaded kernel modules in FreeBSD, the output will be something like below: - kldstat
Id Refs Address Size Name 1 21 0xffffffff80200000 206c860 kernel 2 1 0xffffffff8226e000 5c70 virtio_console.ko 4 1 0xffffffff82288000 ad30 aesni.ko 5 1 0xffffffff82293000 1140 cd9660_iconv.ko 6 2 0xffffffff82295000 87e8 libiconv.ko 7 1 0xffffffff82419000 1860 fdescfs.ko 8 1 0xffffffff8241b000 9e8 pflog.ko 9 1 0xffffffff8241c000 2e498 pf.ko Following commands will enable PF and it's logging functionalities to FreeBSD via rc script rc.conf. We will also enable the host as a gateway through the last command. Make sure to have pf.conf file created in /etc/ directory.
sysrc pf_enable=yessysrc pf_flags=""sysrc pf_rules="/etc/pf.conf"sysrc pflog_enable=yessysrc pflog_logfile="/var/log/pflog0"sysrc pflog_flags=""sysrc gateway_enable=yes
Once you have done all above, you can copy my firewall configuration and modify according to your needs. Be sure to change extif
[code lang=text] extif="vtnet0"
public_ip="104.248.156.107" www_jail_ip="10.0.0.1" jail_net="10.0.0.0/24"
www_port="{80,443}" tcp_port="{21,80,22222,443,53,67,68,22}"
table const { 127/8, 172.16/12, 169.254/16, 192.0.2/24 0/8, 240/4 }
set skip on lo set debug urgent set block-policy drop set loginterface $extif set state-policy if-bound set fingerprints "/etc/pf.os" set ruleset-optimization none
set optimization aggressive
scrub log on $extif all random-id min-ttl 15 set-tos 0x1c fragment reassemble
nat-anchor "ftp-proxy/*" rdr-anchor "ftp-proxy/*"
scrub log on $extif all random-id min-ttl 15 set-tos 0x1c fragment reassemble
nat pass log (all, to pflog0) on $extif from $jail_net to any -> $public_ip
rdr pass log (all, to pflog0) on $extif proto tcp from any to $public_ip port $www_port -> $www_jail_ip rdr pass log (all, to pflog0) on $extif proto {tcp,udp} from any to $public_ip port 53 -> $www_jail_ip rdr pass log (all, to pflog0) on $extif proto {tcp,udp} from any to $public_ip port 21 -> $www_jail_ip rdr pass proto tcp from any to any port ftp -> 127.0.0.1 port 8021
anchor "ftp-proxy/*"
block log (all, to pflog0) block log (all, to pflog0) on $extif from to any pass out log (all, to pflog0) quick on $extif proto {tcp,udp} to any port $tcp_port keep state pass in log (all, to pflog0) quick on $extif proto {tcp,udp} to any port $tcp_port keep state [/code]
Once you have saved the file in /etc/pf.conf, reload the firewall configuration by typing: - service pf reload
For more information on PF, visit this) link.