API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Mar 30th, 2012
41
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.14 KB | None | 0 0
raw download clone embed print report
  1. #System aliases
  2.  
  3. loopback = "{ lo0 }"
  4. WAN = "{ sis0 }"
  5. LAN = "{ sis1 }"
  6.  
  7. #SSH Lockout Table
  8. table <sshlockout> persist
  9. table <webConfiguratorlockout> persist
  10. #Snort tables
  11. table <snort2c>
  12.  
  13. table <virusprot>
  14.  
  15. # User Aliases
  16. table <adso1> { 10.3.10.4 }
  17. adso1 = "<adso1>"
  18. table <WAN> { 10.2.10.52 }
  19. WAN = "<WAN>"
  20.  
  21. # Gateways
  22. GWWAN = " route-to ( sis0 10.2.10.1 ) "
  23.  
  24.  
  25. set loginterface sis1
  26. set optimization normal
  27. set limit states 10000
  28. set limit src-nodes 10000
  29.  
  30. set skip on pfsync0
  31.  
  32. scrub in on $WAN all fragment reassemble
  33. scrub in on $LAN all fragment reassemble
  34.  
  35.  
  36. no nat proto carp
  37. no rdr proto carp
  38. nat-anchor "natearly/*"
  39. nat-anchor "natrules/*"
  40.  
  41.  
  42. # Outbound NAT rules
  43.  
  44. # Subnets to NAT
  45. tonatsubnets = "{ 192.168.1.0/24 127.0.0.0/8 }"
  46. nat on $WAN from $tonatsubnets port 500 to any port 500 -> 10.2.10.177/32 port 500
  47. nat on $WAN from $tonatsubnets to any -> 10.2.10.177/32 port 1024:65535
  48.  
  49.  
  50. # Load balancing anchor
  51. rdr-anchor "relayd/*"
  52. # TFTP proxy
  53. rdr-anchor "tftp-proxy/*"
  54. table <negate_networks> { 10.2.10.0/24 192.168.1.0/24 }
  55. # UPnPd rdr anchor
  56. rdr-anchor "miniupnpd"
  57.  
  58. anchor "relayd/*"
  59. #---------------------------------------------------------------------------
  60. # default deny rules
  61. #---------------------------------------------------------------------------
  62. block in log all label "Default deny rule"
  63. block out log all label "Default deny rule"
  64.  
  65. # We use the mighty pf, we cannot be fooled.
  66. block quick proto { tcp, udp } from any port = 0 to any
  67. block quick proto { tcp, udp } from any to any port = 0
  68.  
  69. # Block all IPv6
  70. block in quick inet6 all
  71. block out quick inet6 all
  72.  
  73. # Snort package
  74. block quick from <snort2c> to any label "Block snort2c hosts"
  75. block quick from any to <snort2c> label "Block snort2c hosts"
  76.  
  77. # SSH lockout
  78. block in log quick proto tcp from <sshlockout> to any port 22 label "sshlockout"
  79.  
  80. # webConfigurator lockout
  81. block in log quick proto tcp from <webConfiguratorlockout> to any port 443 label "webConfiguratorlockout"
  82. block in quick from <virusprot> to any label "virusprot overload table"
  83. table <bogons> persist file "/etc/bogons"
  84. # block bogon networks
  85. # http://www.cymru.com/Documents/bogon-bn-nonagg.txt
  86. block in log quick on $WAN from <bogons> to any label "block bogon networks from WAN"
  87. antispoof for sis0
  88. # allow our DHCP client out to the WAN
  89. pass in on $WAN proto udp from any port = 67 to any port = 68 label "allow dhcp client out WAN"
  90. pass out on $WAN proto udp from any port = 68 to any port = 67 label "allow dhcp client out WAN"
  91. # Not installing DHCP server firewall rules for WAN which is configured for DHCP.
  92. antispoof for sis1
  93. # allow access to DHCP server on LAN
  94. pass in quick on $LAN proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server"
  95. pass in quick on $LAN proto udp from any port = 68 to 192.168.1.1 port = 67 label "allow access to DHCP server"
  96. pass out quick on $LAN proto udp from 192.168.1.1 port = 67 to any port = 68 label "allow access to DHCP server"
  97.  
  98. # loopback
  99. pass in on $loopback all label "pass loopback"
  100. pass out on $loopback all label "pass loopback"
  101. # let out anything from the firewall host itself and decrypted IPsec traffic
  102. pass out all keep state allow-opts label "let out anything from firewall host itself"
  103. pass out route-to ( sis0 10.2.10.1 ) from 10.2.10.177 to !10.2.10.0/24 keep state allow-opts label "let out anything from firewall host itself"
  104. # make sure the user cannot lock himself out of the webConfigurator or SSH
  105. pass in quick on sis1 proto tcp from any to (sis1) port { 80 443 22 } keep state label "anti-lockout rule"
  106.  
  107. # User-defined rules follow
  108.  
  109. anchor "userrules/*"
  110. pass in quick on $WAN reply-to ( sis0 10.2.10.1 ) proto tcp from any port 443 to 10.2.10.52 port 443 flags S/SA keep state label "USER_RULE: Web GUI WAN Access"
  111. pass in quick on $WAN reply-to ( sis0 10.2.10.1 ) proto tcp from any port 22 to 10.2.10.52 port 22 flags S/SA keep state label "USER_RULE: WAN SSH Access"
  112. pass in quick on $LAN from 192.168.1.0/24 to any keep state label "USER_RULE: Default allow LAN to any rule"
  113.  
  114. # VPN Rules
  115. anchor "tftp-proxy/*"
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!