#-----------------------------------------------------------------------
# pf.conf -- Firewall packet filter and redirection rules for
#            Tor transparent gateway (middlebox) 
#            NetBSD 8.0/arm7 (RPI2 and RPI3)
#
# External net: 10.199.199.0/24
# Externet GW:  10.199.199.1 (this host)
# All internet traffic is routed through Tor. DNS through Tor.
# No packet forward between external and internal NIC
#
# Ref: https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy
#
# [2018-05-23 / per.foyer@xyx.se]
#------------------------------------------------------------------------

# Cisco 54G-USB or similair - Change rum0 if other WiFi adapter
int_if="rum0"   

# RPI2/3 built in ethernet port    
ext_if="usmsc0"    

# Tor's Transmission port -- Transparent proxy (see torrc)
trans_port = "9040"

set skip on lo
scrub in

#--- Route transparently all TCP traffic on ext_if throuch Tor
rdr pass on { lo0 $int_if } inet proto tcp to !($int_if) -> 127.0.0.1 port $trans_port

#--- DNS (UDP) through Tor ----
rdr pass on { lo0 $int_if } inet proto udp to port domain -> 127.0.0.1 port domain

#--- Allow ssh from internal net to (this) host
pass in  on $ext_if proto tcp to ($ext_if) port ssh

#--- Allow incoming DHCP requests on ext_if ---
pass in on $int_if proto tcp to ($int_if) port 67

#--- Allow DHCP-server to reply on ext_if ---
pass out on $int_if from 10.199.199.1

#--- If ssh from $int_if to this host should be disallowed
#block in on $int_if inet proto tcp to 10.199.199.1 port ssh

pass quick on lo keep state

##--- EOF --------------------------------------------------------------