API tools faq
paste
Advertisement
Guest User

pfsense_pf

a guest
Sep 17th, 2011
803
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 7.61 KB | None | 0 0
raw download clone embed print report
  1. [2.1-DEVELOPMENT][[email protected]]/root(2): pfctl -s rules
  2. scrub in on pppoe0 all fragment reassemble
  3. scrub in on rl0 all fragment reassemble
  4. scrub in on gif0 all fragment reassemble
  5. anchor "relayd/*" all
  6. block drop in log inet all label "Default deny rule IPv4"
  7. block drop out log inet all label "Default deny rule IPv4"
  8. block drop in log inet6 all label "Default deny rule IPv6"
  9. block drop out log inet6 all label "Default deny rule IPv6"
  10. pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state
  11. pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
  12. pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
  13. pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echoreq keep state
  14. pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
  15. pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
  16. pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echorep keep state
  17. pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
  18. pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
  19. pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echorep keep state
  20. pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
  21. pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
  22. pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type echorep keep state
  23. pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routersol keep state
  24. pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routeradv keep state
  25. pass quick inet6 proto ipv6-icmp all icmp6-type unreach keep state
  26. pass quick inet6 proto ipv6-icmp all icmp6-type toobig keep state
  27. pass quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state
  28. pass quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep state
  29. block drop quick inet proto tcp from any port = 0 to any
  30. block drop quick inet proto tcp from any to any port = 0
  31. block drop quick inet proto udp from any port = 0 to any
  32. block drop quick inet proto udp from any to any port = 0
  33. block drop quick inet6 proto tcp from any port = 0 to any
  34. block drop quick inet6 proto tcp from any to any port = 0
  35. block drop quick inet6 proto udp from any port = 0 to any
  36. block drop quick inet6 proto udp from any to any port = 0
  37. block drop quick from <snort2c> to any label "Block snort2c hosts"
  38. block drop quick from any to <snort2c> label "Block snort2c hosts"
  39. block drop in log quick proto tcp from <sshlockout> to any port = ssh label "sshlockout"
  40. block drop in log quick proto tcp from <webConfiguratorlockout> to any port = http label "webConfiguratorlockout"
  41. block drop in quick from <virusprot> to any label "virusprot overload table"
  42. block drop in log quick on pppoe0 from <bogons> to any label "block bogon IPv4 networks from WAN"
  43. block drop in log quick on pppoe0 from <bogonsv6> to any label "block bogon IPv6 networks from WAN"
  44. block drop in on ! pppoe0 inet from 60.xxx.xxx.xxx to any
  45. block drop in inet from 60.xxx.xxx.xxx to any
  46. block drop in on pppoe0 inet6 from fe80::205:5dff:fe7b:b589 to any
  47. block drop in log quick on pppoe0 inet from 10.0.0.0/8 to any label "Block private networks from WAN block 10/8"
  48. block drop in log quick on pppoe0 inet from 127.0.0.0/8 to any label "Block private networks from WAN block 127/8"
  49. block drop in log quick on pppoe0 inet from 172.16.0.0/12 to any label "Block private networks from WAN block 172.16/12"
  50. block drop in log quick on pppoe0 inet from 192.168.0.0/16 to any label "Block private networks from WAN block 192.168/16"
  51. block drop in log quick on pppoe0 inet6 from fc00::/7 to any label "Block ULA networks from WAN block fc00::/7"
  52. block drop in on ! rl0 inet6 from 2001:470:35:bd::/64 to any
  53. block drop in on rl0 inet6 from fe80::2e0:56ff:fe4d:1427 to any
  54. block drop in inet6 from 2001:470:35:bd::2:1 to any
  55. block drop in on ! rl0 inet from 192.168.0.0/24 to any
  56. block drop in inet from 192.168.0.1 to any
  57. pass in on rl0 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
  58. pass in on rl0 inet proto udp from any port = bootpc to 192.168.0.1 port = bootps keep state label "allow access to DHCP server"
  59. pass out on rl0 inet proto udp from 192.168.0.1 port = bootps to any port = bootpc keep state label "allow access to DHCP server"
  60. anchor "dhcpv6serverLAN" all
  61. pass in on rl0 inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-client keep state label "allow access to DHCPv6 server"
  62. pass in on rl0 inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-server keep state label "allow access to DHCPv6 server"
  63. pass in on rl0 inet6 proto udp from fe80::/10 to 2001:470:35:bd::2:1 port = dhcpv6-client keep state label "allow access to DHCPv6 server"
  64. pass out on rl0 inet6 proto udp from 2001:470:35:bd::2:1 port = dhcpv6-server to fe80::/10 keep state label "allow access to DHCPv6 server"
  65. pass in on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
  66. pass out on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
  67. pass in on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
  68. pass out on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
  69. pass out inet all flags S/SA keep state allow-opts label "let out anything IPv4 from firewall host itself"
  70. pass out inet6 all flags S/SA keep state allow-opts label "let out anything IPv6 from firewall host itself"
  71. pass out route-to (pppoe0 219.xxx.xxx.xxx) inet from 60.xxx.xxx.xxx to ! 60.xxx.xxx.xxx flags S/SA keep state allow-opts label "let out anything from firewall host itself"
  72. pass out route-to (gif0 2001:470:35:bd::1) inet6 from 2001:470:35:bd::2 to ! 2001:470:35:bd::/126 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
  73. pass in quick on rl0 proto tcp from any to (rl0) port = http flags S/SA keep state label "anti-lockout rule"
  74. pass in quick on rl0 proto tcp from any to (rl0) port = ssh flags S/SA keep state label "anti-lockout rule"
  75. anchor "userrules/*" all
  76. pass in quick on pppoe0 inet6 from any to 2001:470:35:bd::/126 flags S/SA keep state label "USER_RULE"
  77. pass in quick on pppoe0 reply-to (pppoe0 219.xxx.xxx.xxx) inet proto icmp from 66.220.2.74 to 60.xxx.xxx.xxx keep state label "USER_RULE"
  78. pass in quick on pppoe0 reply-to (pppoe0 219.xxx.xxx.xxx) inet proto icmp from 66.220.18.42 to 60.xxx.xxx.xxx keep state label "USER_RULE"
  79. pass in quick on pppoe0 reply-to (pppoe0 219.xxx.xxx.xxx) inet proto tcp from any to 192.168.0.20 port = 59177 flags S/SA keep state label "USER_RULE"
  80. pass in quick on pppoe0 reply-to (pppoe0 219.xxx.xxx.xxx) inet proto udp from any to 192.168.0.20 port = 59177 keep state label "USER_RULE"
  81. pass in quick on pppoe0 reply-to (pppoe0 219.xxx.xxx.xxx) inet proto tcp from any to 192.168.0.20 flags S/SA keep state label "USER_RULE: NAT "
  82. pass in quick on pppoe0 reply-to (pppoe0 219.xxx.xxx.xxx) inet proto tcp from any to 192.168.0.20 flags S/SA keep state label "USER_RULE: NAT "
  83. pass in quick on pppoe0 reply-to (pppoe0 219.xxx.xxx.xxx) inet proto tcp from any to 192.168.0.20 flags S/SA keep state label "USER_RULE: NAT "
  84. pass in quick on rl0 inet from 192.168.0.0/24 to any flags S/SA keep state label "USER_RULE: Default allow LAN to any rule"
  85. pass in quick on rl0 inet6 all flags S/SA keep state label "USER_RULE"
  86. anchor "tftp-proxy/*" all
  87. [2.1-DEVELOPMENT][[email protected]]/root(3):
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!