API tools faq
paste
Advertisement
Guest User

1

a guest
May 29th, 2016
139
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.98 KB | None | 0 0
raw download clone embed print report
  1. vpn_net = "192.168/16"
  2.  
  3. set block-policy return
  4. set fingerprints "/etc/pf.os"
  5. set ruleset-optimization basic
  6. set skip on lo0
  7.  
  8. scrub in all no-df
  9.  
  10. scrub-anchor "com.apple/*"
  11.  
  12. int_if = "en0"
  13. tun_if = "utun0"
  14. no nat on ! $tun_if from $vpn_net to ($int_if)
  15. nat on ! $tun_if from $vpn_net to ! ($int_if) -> ($int_if)
  16.  
  17. nat-anchor "com.apple/*"
  18. rdr-anchor "com.apple/*"
  19. dummynet-anchor "com.apple/*"
  20. anchor "com.apple/*"
  21. load anchor "com.apple" from "/etc/pf.anchors/com.apple"
  22.  
  23. anchor "com.apple.server-firewall/*"
  24. load anchor "com.apple.server-firewall" from "/etc/pf.anchors/com.apple.server-firewall"
  25.  
  26. block all
  27.  
  28. pass in quick on $tun_if reply-to $tun_if from $vpn_net to $int_if
  29.  
  30. table <lan_inet> const { lo0, 10/8, 172.16/12, 192.168/16 }
  31. table <lan_inet6> const { ::1, fe80::/10 }
  32.  
  33. pass quick inet from <lan_inet> to any keep state
  34. pass quick inet6 from <lan_inet6> to any keep state
  35.  
  36. block drop in log quick from no-route to any
  37. block drop in log quick from urpf-failed to any
  38.  
  39. table <bruteforce> persist
  40. block drop log quick from <bruteforce>
  41.  
  42. anchor 'blockips' label "Open Source IP Blocks"
  43. load anchor 'blockips' from '/usr/local/etc/blockips.conf'
  44.  
  45. icmp_types = "echoreq"
  46. pass inet proto icmp from $int_if:network to any icmp-type $icmp_types
  47. pass inet proto icmp from any to $int_if icmp-type $icmp_types
  48.  
  49. pass out on $int_if inet proto udp from any to any port 33433 >< 33626
  50.  
  51. pass in quick inet proto udp from port bootps to port bootpc
  52. pass out quick inet proto udp from port bootpc to port bootps
  53.  
  54. lan_udp_services = "{ domain, 5001, postgresql }"
  55. lan_tcp_services = "{ domain, auth, nntp, www, \
  56. 311, 3128, 5001, 5900:5909, privoxy, postgresql, \
  57. 8123, 8180, 8181, 9150, 9151 }"
  58. block in proto tcp from any to { lo0 $int_if } port $lan_tcp_services
  59. block in proto udp from any to { lo0 $int_if } port $lan_udp_services
  60.  
  61. pass in proto udp from { lo0 $vpn_net $int_if:network } to { lo0 $int_if } port $lan_udp_services
  62. pass in proto tcp from { lo0 $vpn_net $int_if:network } to { lo0 $int_if } port $lan_tcp_services
  63.  
  64. internet_udp_services = "{ https, 500, openvpn, \
  65. 1701, 4500, 5060, 5190, 5297, 5298, 5678, 16384 }"
  66. internet_tcp_services = "{ 995, 1640, 1723, 2195, \
  67. 2196, 4190, 5218, 5223, 5190, 5220, 5222, 5298, \
  68. 8008, 8443, 8800, 8843, 9001, 9030 }"
  69. pass in proto udp from any to { lo0 $int_if } port $internet_udp_services
  70. pass in proto tcp from any to { lo0 $int_if } port $internet_tcp_services
  71. apns_services = "{ 2195, 2196 }"
  72. pass in proto tcp from any port $apns_services to <lan_inet>
  73.  
  74. pass in inet proto tcp from any to { lo0 $int_if } port ssh \
  75. keep state (max-src-conn 5, max-src-conn-rate 5/2, \
  76. overload <bruteforce> flush global)
  77.  
  78. pass in inet proto tcp from any to { lo0 $int_if } \
  79. port { smtp, https, imap, submission, imaps, eyetv } \
  80. keep state (max-src-nodes 50, max-src-conn 200, max-src-conn-rate 100/10, \
  81. overload <bruteforce> flush global)
  82. pass out inet proto tcp from $int_if port { imap4-ssl, imaps } to any
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!