pf.conf.xbox

1. # pf.conf
2. #
3. # This provides advanced firewalling for a small, NAT'd network. A mail and web
4. # server exist and are available to the public and to local clients via NAT
5. # reflection. SSH is forwarded to the web server and brute force attempts are
6. # blocked and those IPs are banned from making any further connections to this
7. # network. Mail spam is blocked with spamd and spamlogd. ALTQ is used with the
8. # hierarchical fair service curve algorithm for traffic shaping. Labels are
9. # assigned to most rules to allow for easier tracking of rule data and
10. # statistics. Some of the global settings for pf are introduced for tweaking.
11. # Traffic sanitization is performed through scrub and antispoof rules.
12. #
13. # NOTE: In order for SPAMD to work, add the following lines to
14. # /etc/rc.conf.local:
15. # spamd_flags="-v -G 2:4:864"
16. # spamlogd_flags="-l pflog1"
17. # And create a pflog1 interface like so:
18. # # ifconfig pflog1 create
19. #
20. # NOTE: See the spamd.conf file for the spamd configuration.
21. #
22. # NOTE: To clean the bruteforce table of entries over 24 hours old, use:
23. # # pfctl -t bruteforce -T expire 86400
24. # Use crontab to manage this for you automatically
25. #
26. # NOTE: See the relayd.conf file for the relayd configuration.
27. #
28. # NOTE: In order for FTP services to work, add the following line to
29. # /etc/rc.conf.local:
30. # ftpproxy_flags=""
31. #
32. ################################################################################
33.  
34. ################################################################################
35. ## MACROS
36. ################################################################################
37.  
38. ## INTERFACES
39. #############
40. ext_if = "re0" # public facing NIC
41. int_if = "em0" # LAN side NIC
42. trusted = "{ em0 }"
43.  
44. ## BANDWIDTH
45. ############
46. # Upload speed
47. ext_bw = "5Mb"
48.  
49.  
50. ## NETWORKS AND MACHINES
51. ########################
52. localnet = $int_if:network
53. proxy = "127.0.0.1"
54. webserver = "192.168.13.241"
55. mailserver = "192.168.13.240"
56. wifi = "{ 192.168.13.2 }"
57. walt = "192.168.13.50"
58. jenn = "192.168.13.150"
59.  
60. ## NEW
61. xbox360 = "192.168.13.120"
62.  
63. ## PORTS AND SERVICES
64. #####################
65. udp_services = "{ domain, ntp }"
66. icmp_types = "{ echoreq, unreach }"
67. client_out = "{ ssh, domain, http, https }"
68. web_tcp = "{ http, https, ssh, 64738, 9987, 3784 }"
69. web_udp = "{ http, https, ssh, 64738, 9987, 3784 }"
70. mailports = "{ smtp, pop3, pop3s, imap, imap3, imaps }"
71. walt_tcp = "{ 4549 }"
72. walt_udp = "{ 4175, 4179, 4171, 55888 }"
73. jenn_tcp = "{ 1000 }"
74. jenn_udp = "{ 7777:7779, 27900:28900, 55889 }"
75. games_tcp = "{ 999 }"
76. games_udp = "{ 999 }"
77.  
78. ## NEW
79. xbox_out_udp = "{ 53, 88, 3074 }"
80. xbox_out_tcp = "{ 53, 80, 3074 }"
81. xbox_in_udp = "{ 53, 88, 3074 }"
82.  
83. ## TABLES
84. #########
85. table <clients> persist { 192.168.13.0/24 }
86. table <nonroutable> persist { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
87. 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
88. 0.0.0.0/8, 240.0.0.0/4 }
89. table <bruteforce> persist
90. table <spamd-white> persist
91. table <nospamd> persist file "/etc/mail/nospamd"
92.  
93. ################################################################################
94. ## OPTIONS
95. ################################################################################
96. # Return status codes to hosts which initiate blocked traffic
97. #set block-policy return
98. # Skip processing on the loopback interface group
99. set skip on lo
100. # Set global connection limits unless otherwise specified
101. #set state-defaults max 1500, max-src-conn 100, source-track rule
102. # Raise the debug level one above the default
103. set debug warn
104. # Perform basic ruleset optimization
105. set ruleset-optimization basic
106.  
107.  
108. ################################################################################
109. ## QUEUEING
110. ################################################################################
111. #altq on $ext_if bandwidth $ext_bw hfsc queue { main, spamd }
112. #queue main bandwidth 99% priority 7 qlimit 100 hfsc \
113. #(realtime 20%, linkshare 99%) { q_pri, q_def, q_web, q_dns }
114. #queue q_pri bandwidth 3% priority 7 hfsc \
115. #(realtime 0, linkshare 3% red)
116. #queue q_def bandwidth 47% priority 1 hfsc \
117. #(default realtime 30% linkshare 47% red)
118. #queue q_web bandwidth 47% priority 1 hfsc \
119. #(realtime 30% linkshare 47% red)
120. #queue q_dns bandwidth 3% priority 7 qlimit 100 hfsc \
121. #(realtime (30Kb 3000 12Kb), linkshare 3%)
122. #queue spamd bandwidth 0% priority 0 qlimit 300 hfsc \
123. #(realtime 0, upperlimit 1%, linkshare 1%)
124.  
125.  
126. ################################################################################
127. ## TRANSLATION
128. ################################################################################
129. ## NEW
130. match out on $ext_if from $xbox360 to any received-on $int_if nat-to ($ext_if:0) static-port
131. #match out on $ext_if from !$xbox360 nat-to ($ext_if:0)
132.  
133. # ($ext_if) accounts for the public IP changing dynamically
134. match out on $ext_if from $localnet nat-to ($ext_if)
135.  
136.  
137. #match in all scrub (no-df max-mss 1440)
138. #match out on $ext_if from $localnet nat-to ($ext_if) queue (q_def, q_pri)
139. #match out on $ext_if proto tcp to port { www https } queue (q_web, q_pri)
140. #match out on $ext_if proto { tcp udp } to port domain queue (q_dns, q_pri)
141. #match out on $ext_if proto icmp queue (q_dns, q_pri)
142.  
143.  
144. ################################################################################
145. ## FILTER RULES
146. ################################################################################
147.  
148. ## ANCHORS
149. ##########
150. anchor "ftp-proxy/*"
151. anchor "relayd/*"
152.  
153. # Protect against activity from spoofed/forged IP addresses
154. antispoof for $ext_if
155. antispoof for $int_if
156.  
157. # Initially block all traffic in any direction
158. block all
159.  
160. # Block traffic to/from nonroutable IP addresses
161. block out quick on $ext_if to <nonroutable> label "non-route-out"
162. block in quick on $ext_if from <nonroutable> label "non-route-in"
163.  
164. # Block any IP in the bruteforce table
165. block quick from <bruteforce> label "bruteforce"
166.  
167. # Pass legitimate SSH traffic to the web server, ban brute force attempts
168. pass in proto { tcp, udp } to port ssh rdr-to $webserver \
169. keep state (max-src-conn 10, max-src-conn-rate 5/3, \
170. overload <bruteforce> flush global) label "ssh-web"
171.  
172. ## NEW
173. # Redirect xbox live ports to the xbox
174. pass in on $ext_if inet proto udp from !($ext_if) \
175. to ($ext_if) port $xbox_in_udp rdr-to $xbox360
176.  
177.  
178. # Pass in traffic for the xbox
179. pass in quick on $ext_if inet proto udp from !($ext_if) \
180. to $xbox360 port $xbox_in_udp
181. pass in quick on $int_if inet proto udp from $xbox360 to any port $xbox_out_udp
182. pass in quick on $int_if inet proto tcp from $xbox360 to any port $xbox_out_tcp
183. pass out quick on $int_if inet proto udp from any to $xbox360 port $xbox_in_udp
184.  
185.  
186. # Allow traffic initiated from the local network
187. pass from { self, $localnet } label "net-out"
188.  
189. # Pass FTP traffic to the proxy
190. pass in quick on $trusted inet proto tcp to port ftp \
191. divert-to 127.0.0.1 port 8021 label "ftp"
192.  
193. # Allow certain services
194. pass quick inet proto { tcp, udp } to port $udp_services label "udp-services"
195.  
196. # Allow specified ICMP traffic
197. #pass inet proto icmp icmp-type $icmp_types label "icmp"
198. pass inet proto icmp from any to any
199.  
200. # Allow specified client services
201. pass inet proto tcp from <clients> to any port $client_out label "client-out"
202.  
203. # Pass web and mail traffic to those servers
204. pass in on egress inet proto tcp to $ext_if port $web_tcp rdr-to $webserver \
205. label "web-in"
206. pass in on egress inet proto udp to $ext_if port $web_udp rdr-to $webserver \
207. label "web-in"
208. pass in on egress inet proto tcp to $ext_if port $mailports rdr-to $mailserver \
209. label "mail-in"
210. pass proto tcp to $webserver port $web_tcp label "web-in"
211. pass proto udp to $webserver port $web_udp label "web-in"
212. pass log (to pflog1) proto tcp to $mailserver port $mailports label "mail-in"
213.  
214. # Pass client data to clients
215. pass in on $ext_if inet proto tcp to $ext_if port $jenn_tcp rdr-to $jenn
216. pass in on $ext_if inet proto udp to $ext_if port $jenn_udp rdr-to $jenn
217. pass proto tcp to $jenn port $jenn_tcp
218. pass proto udp to $jenn port $jenn_udp
219.  
220. pass in on $ext_if inet proto tcp to $ext_if port $walt_tcp rdr-to $walt
221. pass in on $ext_if inet proto udp to $ext_if port $walt_udp rdr-to $walt
222. pass proto tcp to $walt port $walt_tcp
223. pass proto udp to $walt port $walt_udp
224.  
225. # NAT reflection to redirect internal traffic to server properly
226. pass in log on $trusted inet proto tcp from $localnet to egress \
227. port $web_tcp rdr-to $webserver label "nat-to-web"
228. pass in log on $trusted inet proto udp from $localnet to egress \
229. port $web_udp rdr-to $webserver label "nat-to-web"
230. pass in log on $trusted inet proto tcp from $localnet to egress \
231. port $mailports rdr-to $mailserver label "nat-to-mail"
232.  
233. match out log on $trusted proto tcp from $localnet to $webserver \
234. port $web_tcp nat-to $int_if label "nat-to-web"
235. match out log on $trusted proto udp from $localnet to $webserver \
236. port $web_udp nat-to $int_if label "nat-to-web"
237. match out log on $trusted proto tcp from $localnet to $mailserver \
238. port $mailports nat-to $int_if label "nat-to-mail"
239.  
240. pass in on $trusted inet proto tcp from $localnet to egress \
241. port $jenn_tcp rdr-to $jenn
242. pass in on $trusted inet proto udp from $localnet to egress \
243. port $jenn_udp rdr-to $jenn
244. match out on $trusted proto tcp from $localnet to $jenn \
245. port $jenn_tcp nat-to $int_if
246. match out on $trusted proto udp from $localnet to $jenn \
247. port $jenn_udp nat-to $int_if
248.  
249.  
250. # Reflect client data back to clients
251. match in on $int_if inet proto tcp from $localnet to $ext_if \
252. port $jenn_tcp rdr-to $jenn
253. match in on $int_if inet proto udp from $localnet to $ext_if \
254. port $jenn_udp rdr-to $jenn
255. match out on $int_if proto tcp from $localnet to $jenn \
256. port $jenn_tcp nat-to $int_if
257. match out on $int_if proto udp from $localnet to $jenn \
258. port $jenn_udp nat-to $int_if
259.  
260. match in on $int_if inet proto tcp from $localnet to $ext_if \
261. port $walt_tcp rdr-to $walt
262. match in on $int_if inet proto udp from $localnet to $ext_if \
263. port $walt_udp rdr-to $walt
264. match out on $int_if proto tcp from $localnet to $walt \
265. port $walt_tcp nat-to $int_if
266. match out on $int_if proto udp from $localnet to $walt \
267. port $walt_udp nat-to $int_if
268.  
269.  
270. # Allow mail to be sent outside the local network
271. pass log (to pflog1) proto tcp from $mailserver to port smtp label "mail-out"
272.  
273. # Tag and pass wifi traffic
274. pass in on trusted from $wifi tag wifigood label "wifi-in"
275. pass out on { egress, trusted } tagged wifigood label "wifi-out"
276.  
277. # Pass appropriate mail traffic to spamd
278. pass in log on egress proto tcp to port smtp rdr-to 127.0.0.1 port spamd \
279. queue spamd
280. pass in log on egress proto tcp from <nospamd> to \
281. port smtp rdr-to $mailserver label "spamd-in"
282. pass in log on egress proto tcp from <spamd-white> to \
283. port smtp rdr-to $mailserver label "spamd-white"
284. pass out log on egress proto tcp to port spamd label "spamd-out"
285.  
286. ## Anchors
287. ##########
288.  
289. # Games (Xbox360, PC)
290. anchor "games"
291. anchor miniupnpd