Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # pf config by Tim Niederhausen
- # Change the value to reflect your public interface. You can see this with ifconfig.
- ext_if="vtnet0"
- # Ports used for services
- service_ports="{ 22, 628, 6286, 3306, 80 }"
- # Ports used by Metin2
- game_ports="{11003, 13000, 14004, 19000, 21000, 21001, 21002, 21003, 21004, 11007, 13099, 14004, 14005, 15000, 13001, 14099, 9900, 9901, 9902, 9903, 9904, 9905, 9906, 9907, 9908, 9909, 9910, 9911, 9912, 9913, 9914, 15099 }"
- # IP addresses that should override the firewall rules, such as your web server.
- table <trusted_hosts> const { 185.61.137.87, 194.169.211.13, 185.11.146.113 }
- table <abusive_hosts> persist
- table <blockedips> persist file "/etc/pf.blocked.ip.conf"
- set block-policy drop
- set loginterface $ext_if
- set skip on lo
- scrub on $ext_if reassemble tcp no-df random-id
- antispoof quick for { lo0 $ext_if }
- block in
- pass out all keep state
- pass out on $ext_if all modulate state
- pass in quick from <trusted_hosts>
- block in quick from <abusive_hosts>
- # Allow ping in
- pass in inet proto icmp all icmp-type echoreq
- # Rate limits, trial and error
- pass in on $ext_if proto {tcp,udp} to any port $service_ports flags S/SA keep state \
- (max-src-conn 30, max-src-conn-rate 15/5, overload <abusive_hosts> flush)
- pass in on $ext_if proto tcp to any port $game_ports flags S/SA keep state \
- (max-src-conn 30, max-src-conn-rate 15/5, overload <abusive_hosts> flush)
- block drop in log (all) quick on $ext_if from <blockedips> to any
- pass in on $ext_if inet proto icmp all icmp-type echoreq keep state
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement