Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #System aliases
- loopback = "{ lo0 }"
- WAN = "{ sis0 }"
- LAN = "{ sis1 }"
- #SSH Lockout Table
- table <sshlockout> persist
- table <webConfiguratorlockout> persist
- #Snort tables
- table <snort2c>
- table <virusprot>
- # User Aliases
- table <adso1> { 10.3.10.4 }
- adso1 = "<adso1>"
- table <WAN> { 10.2.10.52 }
- WAN = "<WAN>"
- # Gateways
- GWWAN = " route-to ( sis0 10.2.10.1 ) "
- set loginterface sis1
- set optimization normal
- set limit states 10000
- set limit src-nodes 10000
- set skip on pfsync0
- scrub in on $WAN all fragment reassemble
- scrub in on $LAN all fragment reassemble
- no nat proto carp
- no rdr proto carp
- nat-anchor "natearly/*"
- nat-anchor "natrules/*"
- # Outbound NAT rules
- # Subnets to NAT
- tonatsubnets = "{ 192.168.1.0/24 127.0.0.0/8 }"
- nat on $WAN from $tonatsubnets port 500 to any port 500 -> 10.2.10.177/32 port 500
- nat on $WAN from $tonatsubnets to any -> 10.2.10.177/32 port 1024:65535
- # Load balancing anchor
- rdr-anchor "relayd/*"
- # TFTP proxy
- rdr-anchor "tftp-proxy/*"
- table <negate_networks> { 10.2.10.0/24 192.168.1.0/24 }
- # UPnPd rdr anchor
- rdr-anchor "miniupnpd"
- anchor "relayd/*"
- #---------------------------------------------------------------------------
- # default deny rules
- #---------------------------------------------------------------------------
- block in log all label "Default deny rule"
- block out log all label "Default deny rule"
- # We use the mighty pf, we cannot be fooled.
- block quick proto { tcp, udp } from any port = 0 to any
- block quick proto { tcp, udp } from any to any port = 0
- # Block all IPv6
- block in quick inet6 all
- block out quick inet6 all
- # Snort package
- block quick from <snort2c> to any label "Block snort2c hosts"
- block quick from any to <snort2c> label "Block snort2c hosts"
- # SSH lockout
- block in log quick proto tcp from <sshlockout> to any port 22 label "sshlockout"
- # webConfigurator lockout
- block in log quick proto tcp from <webConfiguratorlockout> to any port 443 label "webConfiguratorlockout"
- block in quick from <virusprot> to any label "virusprot overload table"
- table <bogons> persist file "/etc/bogons"
- # block bogon networks
- # http://www.cymru.com/Documents/bogon-bn-nonagg.txt
- block in log quick on $WAN from <bogons> to any label "block bogon networks from WAN"
- antispoof for sis0
- # allow our DHCP client out to the WAN
- pass in on $WAN proto udp from any port = 67 to any port = 68 label "allow dhcp client out WAN"
- pass out on $WAN proto udp from any port = 68 to any port = 67 label "allow dhcp client out WAN"
- # Not installing DHCP server firewall rules for WAN which is configured for DHCP.
- antispoof for sis1
- # allow access to DHCP server on LAN
- pass in quick on $LAN proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server"
- pass in quick on $LAN proto udp from any port = 68 to 192.168.1.1 port = 67 label "allow access to DHCP server"
- pass out quick on $LAN proto udp from 192.168.1.1 port = 67 to any port = 68 label "allow access to DHCP server"
- # loopback
- pass in on $loopback all label "pass loopback"
- pass out on $loopback all label "pass loopback"
- # let out anything from the firewall host itself and decrypted IPsec traffic
- pass out all keep state allow-opts label "let out anything from firewall host itself"
- pass out route-to ( sis0 10.2.10.1 ) from 10.2.10.177 to !10.2.10.0/24 keep state allow-opts label "let out anything from firewall host itself"
- # make sure the user cannot lock himself out of the webConfigurator or SSH
- pass in quick on sis1 proto tcp from any to (sis1) port { 80 443 22 } keep state label "anti-lockout rule"
- # User-defined rules follow
- anchor "userrules/*"
- pass in quick on $WAN reply-to ( sis0 10.2.10.1 ) proto tcp from any port 443 to 10.2.10.52 port 443 flags S/SA keep state label "USER_RULE: Web GUI WAN Access"
- pass in quick on $WAN reply-to ( sis0 10.2.10.1 ) proto tcp from any port 22 to 10.2.10.52 port 22 flags S/SA keep state label "USER_RULE: WAN SSH Access"
- pass in quick on $LAN from 192.168.1.0/24 to any keep state label "USER_RULE: Default allow LAN to any rule"
- # VPN Rules
- anchor "tftp-proxy/*"
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement