API tools faq
paste
Advertisement
devinteske

pfconf

devinteske
Jul 19th, 2022 (edited)
483
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.20 KB | None | 0 0
raw download clone embed print report
  1. # /etc/pf.conf for Grafana jail
  2.  
  3. intif = "ng0_<jailname>"
  4. serversource = "<jail_ip>"
  5. serverip = $serversource
  6.  
  7. servertcpports = "{ 3000, 8086 }"
  8. trustedhosts = "{ <ip/subnet/hostname/whatever>, ... }" # NB: Make sure gateway is trusted host
  9.  
  10. privnets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 255.255.255.255/32, 169.254.0.0/16 }"
  11. freebsd_pkg = "{ pkg, SRV _http._tcp.pkg, vuxml }"
  12. # NB: You're going to have to resolve these yourself (adding f.o to each and querying
  13. # NB: For the SRV record, get the IP of each name returned
  14. # NB: The format you want is similar $privnets but I won't list the IP address as they change
  15. # NB: E.g., { IP1, IP2, IP3, IP4, IP5, ... }
  16. multicast = "{ 224.0.0.0/4, ff00::/8 }"
  17.  
  18. set loginterface $intif
  19. set limit { states 20000 }
  20. table <badhosts> persist
  21. scrub all reassemble tcp no-df random-id max-mss 1280
  22.  
  23. rdr on $intif proto tcp from $trustedhosts to $serversource port $servertcpports -> $serverip
  24. rdr on $intif proto tcp from $serversource to $freebsd_pkg port 80 -> $freebsd_pkg
  25. rdr on $intif proto tcp from $freebsd_pkg port 80 to $serversource -> $serverip
  26.  
  27. block log
  28. pass quick on lo0 all
  29.  
  30. block in quick on $intif proto udp from any port { 80, 8080 } to any port 123
  31.  
  32. block drop in log quick inet6
  33. block drop in log on $intif from $privnets to any
  34. block drop in log on $intif from any to $privnets
  35. block drop in log quick on $intif from { <badhosts> }
  36. block drop in log quick proto icmp all
  37.  
  38. pass in on $intif proto tcp from $trustedhosts to $serverip port $servertcpports keep state
  39. pass out on $intif proto tcp from $serverip to $freebsd_pkg port 80 keep state
  40.  
  41. block drop in quick inet proto icmp all
  42. block drop out quick inet proto icmp all
  43. block drop in quick inet6 proto ipv6-icmp all
  44. block drop out quick inet6 proto ipv6-icmp all
  45.  
  46. pass out on $intif from any to $intif:network keep state
  47.  
  48. block drop in quick log proto udp from any to any port 5353
  49. block drop out quick log proto udp from any port 5353 to any
  50. block drop in quick log from any to $multicast
  51. block drop in quick log from $multicast to any
  52. block drop out quick log from any to $multicast
  53. block drop out quick log from $multicast to any
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!