#	$FreeBSD: src/etc/pf.conf,v 1.3 2006/01/27 17:16:20 mlaier Exp $
#	$OpenBSD: pf.conf,v 1.21 2003/09/02 20:38:44 david Exp $
 
# macros
	# Cambiar nombre de los NIC's
	wan_if = "xx0"
	lan_if = "yy0"
	# Cambia los servicos a gusto.  Puedes confirmar de que se trata en /etc/services.
	udp_services = "{ 23, 53 }"
	tcp_services = "{ 20, 25, 53, 80, 110, 123, 143, 443 }"
	ssh_services = "{ 22 }"
	icmp_types = "echoreq"

	priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4, 224.0.0.0/8 }"

# options
	set block-policy return
	set loginterface $wan_if
 
# scrub
	scrub in all
 
# nat/rdr

	nat on $wan_if from $lan_if:network to any -> ($wan_if)
#	# Redireccionar de puerto 80 a 3128
		rdr on $lan_if inet proto tcp from any to any port www -> 127.0.0.1 port 3128

# filter rules
	block log all

# antispoof Test
	antispoof for $wan_if 
	antispoof for $lan_if 
 
	pass quick on lo0 all

	block drop in  quick on $wan_if from $priv_nets to any
	block drop out quick on $wan_if from any to $priv_nets

	pass in on $wan_if inet proto udp from any to ($wan_if) port $udp_services keep state
	pass in on $wan_if inet proto tcp from any to ($wan_if) port $tcp_services flags S/SA keep state
	pass in inet proto icmp all icmp-type $icmp_types keep state
	pass in  on $lan_if from $lan_if:network to any keep state
	pass out on $lan_if from any to $lan_if:network keep state
	pass out on $wan_if inet proto tcp all modulate state flags S/SA
	pass out on $wan_if inet proto { udp, icmp } all keep state