Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # pf.conf
- #
- # This provides advanced firewalling for a small, NAT'd network. A mail and web
- # server exist and are available to the public and to local clients via NAT
- # reflection. SSH is forwarded to the web server and brute force attempts are
- # blocked and those IPs are banned from making any further connections to this
- # network. Mail spam is blocked with spamd and spamlogd. ALTQ is used with the
- # hierarchical fair service curve algorithm for traffic shaping. Labels are
- # assigned to most rules to allow for easier tracking of rule data and
- # statistics. Some of the global settings for pf are introduced for tweaking.
- # Traffic sanitization is performed through scrub and antispoof rules.
- #
- # NOTE: In order for SPAMD to work, add the following lines to
- # /etc/rc.conf.local:
- # spamd_flags="-v -G 2:4:864"
- # spamlogd_flags="-l pflog1"
- # And create a pflog1 interface like so:
- # # ifconfig pflog1 create
- #
- # NOTE: See the spamd.conf file for the spamd configuration.
- #
- # NOTE: To clean the bruteforce table of entries over 24 hours old, use:
- # # pfctl -t bruteforce -T expire 86400
- # Use crontab to manage this for you automatically
- #
- # NOTE: See the relayd.conf file for the relayd configuration.
- #
- # NOTE: In order for FTP services to work, add the following line to
- # /etc/rc.conf.local:
- # ftpproxy_flags=""
- #
- ################################################################################
- ################################################################################
- ## MACROS
- ################################################################################
- ## INTERFACES
- #############
- ext_if = "re0" # public facing NIC
- int_if = "em0" # LAN side NIC
- trusted = "{ em0 }"
- ## BANDWIDTH
- ############
- # Upload speed
- ext_bw = "5Mb"
- ## NETWORKS AND MACHINES
- ########################
- localnet = $int_if:network
- proxy = "127.0.0.1"
- webserver = "192.168.13.241"
- mailserver = "192.168.13.240"
- wifi = "{ 192.168.13.2 }"
- walt = "192.168.13.50"
- jenn = "192.168.13.150"
- ## NEW
- xbox360 = "192.168.13.120"
- ## PORTS AND SERVICES
- #####################
- udp_services = "{ domain, ntp }"
- icmp_types = "{ echoreq, unreach }"
- client_out = "{ ssh, domain, http, https }"
- web_tcp = "{ http, https, ssh, 64738, 9987, 3784 }"
- web_udp = "{ http, https, ssh, 64738, 9987, 3784 }"
- mailports = "{ smtp, pop3, pop3s, imap, imap3, imaps }"
- walt_tcp = "{ 4549 }"
- walt_udp = "{ 4175, 4179, 4171, 55888 }"
- jenn_tcp = "{ 1000 }"
- jenn_udp = "{ 7777:7779, 27900:28900, 55889 }"
- games_tcp = "{ 999 }"
- games_udp = "{ 999 }"
- ## NEW
- xbox_out_udp = "{ 53, 88, 3074 }"
- xbox_out_tcp = "{ 53, 80, 3074 }"
- xbox_in_udp = "{ 53, 88, 3074 }"
- ## TABLES
- #########
- table <clients> persist { 192.168.13.0/24 }
- table <nonroutable> persist { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
- 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
- 0.0.0.0/8, 240.0.0.0/4 }
- table <bruteforce> persist
- table <spamd-white> persist
- table <nospamd> persist file "/etc/mail/nospamd"
- ################################################################################
- ## OPTIONS
- ################################################################################
- # Return status codes to hosts which initiate blocked traffic
- #set block-policy return
- # Skip processing on the loopback interface group
- set skip on lo
- # Set global connection limits unless otherwise specified
- #set state-defaults max 1500, max-src-conn 100, source-track rule
- # Raise the debug level one above the default
- set debug warn
- # Perform basic ruleset optimization
- set ruleset-optimization basic
- ################################################################################
- ## QUEUEING
- ################################################################################
- #altq on $ext_if bandwidth $ext_bw hfsc queue { main, spamd }
- #queue main bandwidth 99% priority 7 qlimit 100 hfsc \
- #(realtime 20%, linkshare 99%) { q_pri, q_def, q_web, q_dns }
- #queue q_pri bandwidth 3% priority 7 hfsc \
- #(realtime 0, linkshare 3% red)
- #queue q_def bandwidth 47% priority 1 hfsc \
- #(default realtime 30% linkshare 47% red)
- #queue q_web bandwidth 47% priority 1 hfsc \
- #(realtime 30% linkshare 47% red)
- #queue q_dns bandwidth 3% priority 7 qlimit 100 hfsc \
- #(realtime (30Kb 3000 12Kb), linkshare 3%)
- #queue spamd bandwidth 0% priority 0 qlimit 300 hfsc \
- #(realtime 0, upperlimit 1%, linkshare 1%)
- ################################################################################
- ## TRANSLATION
- ################################################################################
- ## NEW
- match out on $ext_if from $xbox360 to any received-on $int_if nat-to ($ext_if:0) static-port
- #match out on $ext_if from !$xbox360 nat-to ($ext_if:0)
- # ($ext_if) accounts for the public IP changing dynamically
- match out on $ext_if from $localnet nat-to ($ext_if)
- #match in all scrub (no-df max-mss 1440)
- #match out on $ext_if from $localnet nat-to ($ext_if) queue (q_def, q_pri)
- #match out on $ext_if proto tcp to port { www https } queue (q_web, q_pri)
- #match out on $ext_if proto { tcp udp } to port domain queue (q_dns, q_pri)
- #match out on $ext_if proto icmp queue (q_dns, q_pri)
- ################################################################################
- ## FILTER RULES
- ################################################################################
- ## ANCHORS
- ##########
- anchor "ftp-proxy/*"
- anchor "relayd/*"
- # Protect against activity from spoofed/forged IP addresses
- antispoof for $ext_if
- antispoof for $int_if
- # Initially block all traffic in any direction
- block all
- # Block traffic to/from nonroutable IP addresses
- block out quick on $ext_if to <nonroutable> label "non-route-out"
- block in quick on $ext_if from <nonroutable> label "non-route-in"
- # Block any IP in the bruteforce table
- block quick from <bruteforce> label "bruteforce"
- # Pass legitimate SSH traffic to the web server, ban brute force attempts
- pass in proto { tcp, udp } to port ssh rdr-to $webserver \
- keep state (max-src-conn 10, max-src-conn-rate 5/3, \
- overload <bruteforce> flush global) label "ssh-web"
- ## NEW
- # Redirect xbox live ports to the xbox
- pass in on $ext_if inet proto udp from !($ext_if) \
- to ($ext_if) port $xbox_in_udp rdr-to $xbox360
- # Pass in traffic for the xbox
- pass in quick on $ext_if inet proto udp from !($ext_if) \
- to $xbox360 port $xbox_in_udp
- pass in quick on $int_if inet proto udp from $xbox360 to any port $xbox_out_udp
- pass in quick on $int_if inet proto tcp from $xbox360 to any port $xbox_out_tcp
- pass out quick on $int_if inet proto udp from any to $xbox360 port $xbox_in_udp
- # Allow traffic initiated from the local network
- pass from { self, $localnet } label "net-out"
- # Pass FTP traffic to the proxy
- pass in quick on $trusted inet proto tcp to port ftp \
- divert-to 127.0.0.1 port 8021 label "ftp"
- # Allow certain services
- pass quick inet proto { tcp, udp } to port $udp_services label "udp-services"
- # Allow specified ICMP traffic
- #pass inet proto icmp icmp-type $icmp_types label "icmp"
- pass inet proto icmp from any to any
- # Allow specified client services
- pass inet proto tcp from <clients> to any port $client_out label "client-out"
- # Pass web and mail traffic to those servers
- pass in on egress inet proto tcp to $ext_if port $web_tcp rdr-to $webserver \
- label "web-in"
- pass in on egress inet proto udp to $ext_if port $web_udp rdr-to $webserver \
- label "web-in"
- pass in on egress inet proto tcp to $ext_if port $mailports rdr-to $mailserver \
- label "mail-in"
- pass proto tcp to $webserver port $web_tcp label "web-in"
- pass proto udp to $webserver port $web_udp label "web-in"
- pass log (to pflog1) proto tcp to $mailserver port $mailports label "mail-in"
- # Pass client data to clients
- pass in on $ext_if inet proto tcp to $ext_if port $jenn_tcp rdr-to $jenn
- pass in on $ext_if inet proto udp to $ext_if port $jenn_udp rdr-to $jenn
- pass proto tcp to $jenn port $jenn_tcp
- pass proto udp to $jenn port $jenn_udp
- pass in on $ext_if inet proto tcp to $ext_if port $walt_tcp rdr-to $walt
- pass in on $ext_if inet proto udp to $ext_if port $walt_udp rdr-to $walt
- pass proto tcp to $walt port $walt_tcp
- pass proto udp to $walt port $walt_udp
- # NAT reflection to redirect internal traffic to server properly
- pass in log on $trusted inet proto tcp from $localnet to egress \
- port $web_tcp rdr-to $webserver label "nat-to-web"
- pass in log on $trusted inet proto udp from $localnet to egress \
- port $web_udp rdr-to $webserver label "nat-to-web"
- pass in log on $trusted inet proto tcp from $localnet to egress \
- port $mailports rdr-to $mailserver label "nat-to-mail"
- match out log on $trusted proto tcp from $localnet to $webserver \
- port $web_tcp nat-to $int_if label "nat-to-web"
- match out log on $trusted proto udp from $localnet to $webserver \
- port $web_udp nat-to $int_if label "nat-to-web"
- match out log on $trusted proto tcp from $localnet to $mailserver \
- port $mailports nat-to $int_if label "nat-to-mail"
- pass in on $trusted inet proto tcp from $localnet to egress \
- port $jenn_tcp rdr-to $jenn
- pass in on $trusted inet proto udp from $localnet to egress \
- port $jenn_udp rdr-to $jenn
- match out on $trusted proto tcp from $localnet to $jenn \
- port $jenn_tcp nat-to $int_if
- match out on $trusted proto udp from $localnet to $jenn \
- port $jenn_udp nat-to $int_if
- # Reflect client data back to clients
- match in on $int_if inet proto tcp from $localnet to $ext_if \
- port $jenn_tcp rdr-to $jenn
- match in on $int_if inet proto udp from $localnet to $ext_if \
- port $jenn_udp rdr-to $jenn
- match out on $int_if proto tcp from $localnet to $jenn \
- port $jenn_tcp nat-to $int_if
- match out on $int_if proto udp from $localnet to $jenn \
- port $jenn_udp nat-to $int_if
- match in on $int_if inet proto tcp from $localnet to $ext_if \
- port $walt_tcp rdr-to $walt
- match in on $int_if inet proto udp from $localnet to $ext_if \
- port $walt_udp rdr-to $walt
- match out on $int_if proto tcp from $localnet to $walt \
- port $walt_tcp nat-to $int_if
- match out on $int_if proto udp from $localnet to $walt \
- port $walt_udp nat-to $int_if
- # Allow mail to be sent outside the local network
- pass log (to pflog1) proto tcp from $mailserver to port smtp label "mail-out"
- # Tag and pass wifi traffic
- pass in on trusted from $wifi tag wifigood label "wifi-in"
- pass out on { egress, trusted } tagged wifigood label "wifi-out"
- # Pass appropriate mail traffic to spamd
- pass in log on egress proto tcp to port smtp rdr-to 127.0.0.1 port spamd \
- queue spamd
- pass in log on egress proto tcp from <nospamd> to \
- port smtp rdr-to $mailserver label "spamd-in"
- pass in log on egress proto tcp from <spamd-white> to \
- port smtp rdr-to $mailserver label "spamd-white"
- pass out log on egress proto tcp to port spamd label "spamd-out"
- ## Anchors
- ##########
- # Games (Xbox360, PC)
- anchor "games"
- anchor miniupnpd
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement