Le fichier de configuration suivant pourrait être appliqué à un serveur DNS. Certaines parties ont volontairement été supprimées.
Exemple 14. Exemples d'un fichier pf.conf
### ==========================================================================
### Macros: define common values, so they can be referenced and changed easily.
### ==========================================================================
dmz_if="xl0"
vlan_if="vlan30"
ssh_port="3022"
unPrivPorts="{ 1024 >< 65535 }"
proxy_p="3128"
ftp_RP="{ ftp, 30000:40000 }"
### ==========================================================================
### Tables: similar to macros, but more flexible for many addresses.
### ==========================================================================
table <ssh_host> const { \
172.17.0.1/32, \
172.17.0.239/32, \
172.17.0.240/32 \
}
table <dmz_net> const { \
172.17.0.1/32, \
172.17.0.126/32, \
172.17.0.200/32, \
172.17.0.201/32, \
172.17.0.223/32, \
172.17.0.225/32, \
172.17.0.228/31, \
172.17.0.230/32, \
172.17.0.231/32, \
172.17.0.232/32, \
172.17.0.233/32, \
172.17.0.234/32 \
172.17.0.237/32, \
172.17.0.239/32, \
172.17.0.240/28 \
}
table <auth_net> const { \
172.17.1.0/25, \
172.17.2.0/25, \
172.17.3.0/25, \
172.17.4.0/25, \
172.17.5.0/25, \
172.17.6.0/25, \
}
table <ftp_srv> const { 217.109.43.210/32 }
table <smtp_srv> const { 172.17.0.247/32 }
table <master_dns> const { 172.17.0.253/32 }
table <proxy_srv> const { 172.17.0.234/32 }
### ==========================================================================
### Options: tune the behavior of pf, default values are given.
### ==========================================================================
set limit { states 12000, frags 5000 }
set loginterface $dmz_if
set optimization normal
set block-policy drop
set require-order yes
set fingerprints "/etc/pf.os"
set skip on lo
### ==========================================================================
### Normalization: reassemble fragments and resolve or reduce traffic ambiguities.
### ==========================================================================
scrub in all random-id
scrub on $dmz_if all reassemble tcp
### ==========================================================================
### Filtering: authorized all on the loopback interface
### ==========================================================================
#block quick inet6 all
block in quick log on $dmz_if from <banned_hosts>
block log all
antispoof log quick for { lo0 $dmz_if } inet
pass in quick on $dmz_if inet proto tcp from <ssh_host> \
to $dmz_if port $ssh_port flags S/SA modulate state
pass in quick on $dmz_if inet proto { tcp, udp } from <dmz_net> \
to $dmz_if port domain keep state
pass in quick on $dmz_if inet proto { tcp, udp } from <auth_net> \
to $dmz_if port domain keep state
pass out quick on $dmz_if inet proto tcp from $dmz_if port $unPrivPorts \
to <smtp_srv> port smtp \
flags S/SA modulate state
pass out quick on $dmz_if inet proto udp from $dmz_if port syslog \
to <gkar_srv> port syslog
pass out quick on $dmz_if inet proto udp from $dmz_if port domain \
to <master_dns> port domain \
keep state
pass out quick on $dmz_if inet proto udp from $dmz_if port $unPrivPorts \
to any port domain \
keep state
pass out quick on $dmz_if inet proto udp from $dmz_if to \
<ntp_srv> port ntp keep state
pass out quick on $dmz_if inet proto tcp from $dmz_if port $unPrivPorts \
to <proxy_srv> port $proxy_p \
flags S/SA modulate state
pass out quick on $dmz_if inet proto tcp from $dmz_if port $unPrivPorts \
to <ftp_srv> port $ftp_RP \
flags S/SA modulate state
pass out quick on $dmz_if inet proto tcp from $dmz_if port domain \
to <master_dns> port domain \
flags S/SA modulate state
pass out quick on $dmz_if inet proto { tcp, udp } from $dmz_if \
to any port domain keep state
pass out quick on $dmz_if inet proto icmp from $dmz_if \
to any keep state
pass in quick on $vlan_if inet proto { udp, tcp } from <ext_lan> port $unPrivPorts \
to $vlan_if port domain \
keep state
pass in quick on $vlan_if inet proto icmp from <ext_lan> \
to $vlan_if keep state
pass out quick on $vlan_if inet proto icmp from $vlan_if \
to <ext_lan> keep state