API tools faq
paste
Advertisement
Guest User

PF configuration file

a guest
Jan 2nd, 2014
62
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.65 KB | None | 0 0
raw download clone embed print report
  1. # Macros
  2. ext_if="wlan0"
  3. int_if="vboxnet0"
  4. #ext_if="em0"
  5. proxy="127.0.0.1"
  6. proxyport="8021"
  7.  
  8. # Known ports for outgoing traffic
  9. tcp_services = "{ www, https, domain }"
  10. udp_services = "{ domain, ntp }"
  11.  
  12. # Tables
  13. # Non rootable addresses
  14. table <unwanted> const persist {127.0.0.0/8, 172.16.0.0/12,\
  15. 10.0.0.0/8, 0.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24,\
  16. 240.0.0.0/4, 255.255.255.255/32}
  17.  
  18. # Options
  19. set skip on lo0
  20. set require-order yes
  21. set block-policy drop
  22. set loginterface $ext_if
  23. set state-policy if-bound
  24. set fingerprints "/etc/pf.os"
  25.  
  26. # Scrub - Traffic normalization
  27. scrub in all random-id fragment reassemble
  28. scrub out all random-id fragment reassemble
  29.  
  30. # ftp-proxy
  31. nat-anchor "ftp-proxy/*"
  32. rdr-anchor "ftp-proxy/*"
  33.  
  34. # NAT (VirtualBox)
  35. #nat on $ext_if from $int_if:network to any -> ($ext_if)
  36.  
  37. # Redirect to ftp-proxy
  38. rdr pass proto tcp from any to any port ftp -> $proxy port $proxyport
  39.  
  40. # Antispoof
  41. antispoof for $ext_if
  42.  
  43. # Filters
  44. anchor "ftp-proxy/*"
  45.  
  46. # Block anything coming from source we have no back routes for
  47. block in from no-route to any
  48.  
  49. # Block packets that fail a reverse path check
  50. block in from urpf-failed to any
  51.  
  52. # Blocking spoofed packets
  53. block drop in log quick on ! $ext_if inet from ($ext_if) to any
  54.  
  55. # Block all packets not coming from this machine
  56. block out log quick on $ext_if from !($ext_if)
  57.  
  58. # Block unwanted and log
  59. block drop in log quick on $ext_if from {<unwanted>, 192.168.0.0/16} to any
  60. block drop out log quick on $ext_if from any to <unwanted>
  61.  
  62. # Block probes that can possibly determine the OS by disallowing certain
  63. # combinations that are commonly used by nmpa, queso and xprobe2
  64. block in quick on $ext_if proto tcp flags FUP/WEUAPRSF
  65. block in quick on $ext_if proto tcp flags WEUAPRSF/WEUAPRSF
  66. block in quick on $ext_if proto tcp flags SRAFU/WEUAPRSF
  67. block in quick on $ext_if proto tcp flags /WEUAPRSF
  68. block in quick on $ext_if proto tcp flags SR/SR
  69. block in quick on $ext_if proto tcp flags SF/SF
  70.  
  71. # BLOCK ALL
  72. block in log all
  73. block out all
  74.  
  75. # FTP configurations (use of ftp-proxy)
  76. # Active FTP
  77. pass out on $ext_if proto tcp from self to any port ftp keep state
  78. # Passive FTP
  79. pass out on $ext_if proto tcp from self to any port > 49151 keep state
  80.  
  81. # Pass out internet traffic
  82. pass out quick on $ext_if inet proto tcp to any port $tcp_services flags S/SA modulate state
  83. pass out quick on $ext_if inet proto udp to any port $udp_services keep state
  84. #pass out quick on $ext_if inet proto tcp all flags S/SA modulate state
  85. #pass out quick on $ext_if inet proto udp all keep state
  86.  
  87. # Allow ping out
  88. pass out quick on $ext_if inet proto icmp all icmp-type 8 code 0 keep state
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!