/tmp/rules.debug

1. 11.22.33.44 Unitymedia WAN IP
2. 44.33.22.11 NetCologne WAN IP
3.  
4. =================================================
5.  
6. #System aliases
7.  
8. loopback = "{ lo0 }"
9. UNITYMEDIA = "{ em2 }"
10. LAN = "{ em1 }"
11. NETCOLOGNE = "{ pppoe0 }"
12. WANS = "{ WANS }"
13.  
14. #SSH Lockout Table
15. table <sshlockout> persist
16. table <webConfiguratorlockout> persist
17. #pfSnortSam tables
18. table <snort2c>
19.  
20. table <virusprot>
21.  
22. # User Aliases
23. table <Server> { 192.168.1.100 }
24. Server = "<Server>"
25. table <Torrents> { 192.168.1.110 }
26. Torrents = "<Torrents>"
27. table <Workstations> { 192.168.1.101 192.168.1.102 }
28. Workstations = "<Workstations>"
29.  
30. # Gateways
31. GWUNITYMEDIA = " route-to ( em2 62.143.96.1 ) "
32. GWNETCOLOGNE = " route-to ( pppoe0 195.14.226.7 ) "
33. GWWANS = " route-to { ( em2 62.143.96.1 ) } "
34.  
35.  
36. set loginterface em1
37. set optimization normal
38. set limit states 47000
39. set limit src-nodes 47000
40.  
41. set skip on pfsync0
42.  
43. scrub in on $UNITYMEDIA all no-df random-id fragment reassemble
44. scrub in on $LAN all no-df random-id fragment reassemble
45. scrub in on $NETCOLOGNE all no-df random-id fragment reassemble
46.  
47.  
48. nat-anchor "natearly/*"
49. nat-anchor "natrules/*"
50.  
51.  
52. # Outbound NAT rules
53.  
54. # Subnets to NAT
55. tonatsubnets = "{ 192.168.1.0/24 127.0.0.0/8 }"
56. nat on $UNITYMEDIA from $tonatsubnets port 500 to any port 500 -> 11.22.33.44/32 port 500
57. nat on $UNITYMEDIA from $tonatsubnets to any -> 11.22.33.44/32 port 1024:65535
58.  
59. nat on $NETCOLOGNE from $tonatsubnets port 500 to any port 500 -> 44.33.22.11/32 port 500
60. nat on $NETCOLOGNE from $tonatsubnets to any -> 44.33.22.11/32 port 1024:65535
61.  
62.  
63. # Load balancing anchor
64. rdr-anchor "relayd/*"
65. # TFTP proxy
66. rdr-anchor "tftp-proxy/*"
67. table <direct_networks> { 62.143.96.0/21 192.168.1.0/24 44.33.22.11/32 }
68. # NAT Inbound Redirects
69. rdr on em2 proto tcp from any to 11.22.33.44 port 80 -> $Server
70. # Reflection redirects
71. rdr on { em1 WANS } proto tcp from any to 11.22.33.44 port 80 tag PFREFLECT -> 127.0.0.1 port 19000
72.  
73. rdr on em2 proto tcp from any to 11.22.33.44 port 443 -> $Server
74. # Reflection redirects
75. rdr on { em1 WANS } proto tcp from any to 11.22.33.44 port 443 tag PFREFLECT -> 127.0.0.1 port 19001
76.  
77. rdr on em2 proto tcp from any to 11.22.33.44 port 12345 -> $Server port 22
78. # Reflection redirects
79. rdr on { em1 WANS } proto tcp from any to 11.22.33.44 port 12345 tag PFREFLECT -> 127.0.0.1 port 19002
80.  
81. rdr on em2 proto { tcp udp } from any to 11.22.33.44 port 50498 -> $Torrents
82. # Reflection redirects
83. rdr on { em1 WANS } proto { tcp udp } from any to 11.22.33.44 port 50498 tag PFREFLECT -> 127.0.0.1 port 19003
84.  
85. rdr on em2 proto { tcp udp } from any to 11.22.33.44 port 64738 -> $Server
86. # Reflection redirects
87. rdr on { em1 WANS } proto { tcp udp } from any to 11.22.33.44 port 64738 tag PFREFLECT -> 127.0.0.1 port 19004
88.  
89. rdr on em2 proto udp from any to 11.22.33.44 port 9987 -> $Server
90. # Reflection redirects
91. rdr on { em1 WANS } proto udp from any to 11.22.33.44 port 9987 tag PFREFLECT -> 127.0.0.1 port 19005
92.  
93. rdr on em2 proto tcp from any to 11.22.33.44 port 10011 -> $Server
94. # Reflection redirects
95. rdr on { em1 WANS } proto tcp from any to 11.22.33.44 port 10011 tag PFREFLECT -> 127.0.0.1 port 19006
96.  
97. rdr on em2 proto tcp from any to 11.22.33.44 port 30033 -> $Server
98. # Reflection redirects
99. rdr on { em1 WANS } proto tcp from any to 11.22.33.44 port 30033 tag PFREFLECT -> 127.0.0.1 port 19007
100.  
101. rdr on em2 proto tcp from any to 11.22.33.44 port 2234:2239 -> $Server
102. # Reflection redirects
103. rdr on { em1 WANS } proto tcp from any to 11.22.33.44 port 2234:2239 tag PFREFLECT -> 127.0.0.1 port 19008:19013
104.  
105. # UPnPd rdr anchor
106. rdr-anchor "miniupnpd"
107.  
108. anchor "relayd/*"
109. #---------------------------------------------------------------------------
110. # default deny rules
111. #---------------------------------------------------------------------------
112. block in log all label "Default deny rule"
113. block out log all label "Default deny rule"
114.  
115. # We use the mighty pf, we cannot be fooled.
116. block quick proto { tcp, udp } from any port = 0 to any
117. block quick proto { tcp, udp } from any to any port = 0
118.  
119. # Block all IPv6
120. block in quick inet6 all
121. block out quick inet6 all
122.  
123. # pfSnortSam
124. block quick from <snort2c> to any label "Block snort2c hosts"
125. block quick from any to <snort2c> label "Block snort2c hosts"
126. block quick from <pfSnortSamout> to any label "Block pfSnortSamOut hosts"
127. block quick from any to <pfSnortSamin> label "Block pfSnortSamIn hosts"
128.  
129. # SSH lockout
130. block in log quick proto tcp from <sshlockout> to any port 22 label "sshlockout"
131.  
132. # webConfigurator lockout
133. block in log quick proto tcp from <webConfiguratorlockout> to any port 80 label "webConfiguratorlockout"
134. block in quick from <virusprot> to any label "virusprot overload table"
135. table <bogons> persist file "/etc/bogons"
136. # block bogon networks
137. # http://www.cymru.com/Documents/bogon-bn-nonagg.txt
138. block in log quick on $UNITYMEDIA from <bogons> to any label "block bogon networks from UNITYMEDIA"
139. antispoof for em2
140. # allow our DHCP client out to the UNITYMEDIA
141. pass in on $UNITYMEDIA proto udp from any port = 67 to any port = 68 label "allow dhcp client out UNITYMEDIA"
142. pass out on $UNITYMEDIA proto udp from any port = 68 to any port = 67 label "allow dhcp client out UNITYMEDIA"
143. # Not installing DHCP server firewall rules for UNITYMEDIA which is configured for DHCP.
144. antispoof for em1
145. # allow access to DHCP server on LAN
146. pass in on $LAN proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server"
147. pass in on $LAN proto udp from any port = 68 to 192.168.1.1 port = 67 label "allow access to DHCP server"
148. pass out on $LAN proto udp from 192.168.1.1 port = 67 to any port = 68 label "allow access to DHCP server"
149. # block bogon networks
150. # http://www.cymru.com/Documents/bogon-bn-nonagg.txt
151. block in log quick on $NETCOLOGNE from <bogons> to any label "block bogon networks from NETCOLOGNE"
152. antispoof for pppoe0
153. # block anything from private networks on interfaces with the option set
154. antispoof for $NETCOLOGNE
155. block in log quick on $NETCOLOGNE from 10.0.0.0/8 to any label "block private networks from wan block 10/8"
156. block in log quick on $NETCOLOGNE from 127.0.0.0/8 to any label "block private networks from wan block 127/8"
157. block in log quick on $NETCOLOGNE from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12"
158. block in log quick on $NETCOLOGNE from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16"
159.  
160. # loopback
161. pass in on $loopback all label "pass loopback"
162. pass out on $loopback all label "pass loopback"
163. # let out anything from the firewall host itself and decrypted IPsec traffic
164. pass out all keep state allow-opts label "let out anything from firewall host itself"
165. pass out route-to ( em2 62.143.96.1 ) from 11.22.33.44 to !62.143.96.0/21 keep state allow-opts label "let out anything from firewall host itself"
166. pass out route-to ( pppoe0 195.14.226.7 ) from 44.33.22.11 to !44.33.22.11/32 keep state allow-opts label "let out anything from firewall host itself"
167. # make sure the user cannot lock himself out of the webConfigurator or SSH
168. pass in quick on em1 proto tcp from any to (em1) port { 80 } keep state label "anti-lockout rule"
169. # NAT Reflection rules
170. pass in inet tagged PFREFLECT keep state label "NAT REFLECT: Allow traffic to localhost"
171.  
172. # User-defined rules follow
173.  
174. anchor "userrules/*"
175. pass in quick on $UNITYMEDIA reply-to ( em2 62.143.96.1 ) proto tcp from any to $Server port 80 label "USER_RULE: NAT HTTP"
176. pass in quick on $UNITYMEDIA reply-to ( em2 62.143.96.1 ) proto tcp from any to $Server port 443 label "USER_RULE: NAT HTTPS"
177. pass in quick on $UNITYMEDIA reply-to ( em2 62.143.96.1 ) proto tcp from any to $Server port 22 label "USER_RULE: NAT SSH"
178. pass in quick on $UNITYMEDIA reply-to ( em2 62.143.96.1 ) proto { tcp udp } from any to $Server port 64738 label "USER_RULE: NAT Mumble"
179. pass in quick on $UNITYMEDIA reply-to ( em2 62.143.96.1 ) proto udp from any to $Server port 9987 label "USER_RULE: NAT TS3 Voice"
180. pass in quick on $UNITYMEDIA reply-to ( em2 62.143.96.1 ) proto tcp from any to $Server port 10011 label "USER_RULE: NAT TS3 Avatars"
181. pass in quick on $UNITYMEDIA reply-to ( em2 62.143.96.1 ) proto tcp from any to $Server port 30033 label "USER_RULE: NAT TS3 Files"
182. pass in quick on $UNITYMEDIA reply-to ( em2 62.143.96.1 ) proto tcp from any to $Server port 2233 >< 2240 label "USER_RULE: NAT Nicotine"
183. pass in quick on $UNITYMEDIA reply-to ( em2 62.143.96.1 ) proto { tcp udp } from any to $Torrents port 50498 label "USER_RULE: NAT Torrents"
184. pass in quick on $LAN from 192.168.1.0/24 to any keep state label "USER_RULE: Default allow LAN to any rule"
185.  
186. # VPN Rules
187. anchor "tftp-proxy/*"