Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 11.22.33.44 Unitymedia WAN IP
- 44.33.22.11 NetCologne WAN IP
- =================================================
- #System aliases
- loopback = "{ lo0 }"
- UNITYMEDIA = "{ em2 }"
- LAN = "{ em1 }"
- NETCOLOGNE = "{ pppoe0 }"
- WANS = "{ WANS }"
- #SSH Lockout Table
- table <sshlockout> persist
- table <webConfiguratorlockout> persist
- #pfSnortSam tables
- table <snort2c>
- table <virusprot>
- # User Aliases
- table <Server> { 192.168.1.100 }
- Server = "<Server>"
- table <Torrents> { 192.168.1.110 }
- Torrents = "<Torrents>"
- table <Workstations> { 192.168.1.101 192.168.1.102 }
- Workstations = "<Workstations>"
- # Gateways
- GWUNITYMEDIA = " route-to ( em2 62.143.96.1 ) "
- GWNETCOLOGNE = " route-to ( pppoe0 195.14.226.7 ) "
- GWWANS = " route-to { ( em2 62.143.96.1 ) } "
- set loginterface em1
- set optimization normal
- set limit states 47000
- set limit src-nodes 47000
- set skip on pfsync0
- scrub in on $UNITYMEDIA all no-df random-id fragment reassemble
- scrub in on $LAN all no-df random-id fragment reassemble
- scrub in on $NETCOLOGNE all no-df random-id fragment reassemble
- nat-anchor "natearly/*"
- nat-anchor "natrules/*"
- # Outbound NAT rules
- # Subnets to NAT
- tonatsubnets = "{ 192.168.1.0/24 127.0.0.0/8 }"
- nat on $UNITYMEDIA from $tonatsubnets port 500 to any port 500 -> 11.22.33.44/32 port 500
- nat on $UNITYMEDIA from $tonatsubnets to any -> 11.22.33.44/32 port 1024:65535
- nat on $NETCOLOGNE from $tonatsubnets port 500 to any port 500 -> 44.33.22.11/32 port 500
- nat on $NETCOLOGNE from $tonatsubnets to any -> 44.33.22.11/32 port 1024:65535
- # Load balancing anchor
- rdr-anchor "relayd/*"
- # TFTP proxy
- rdr-anchor "tftp-proxy/*"
- table <direct_networks> { 62.143.96.0/21 192.168.1.0/24 44.33.22.11/32 }
- # NAT Inbound Redirects
- rdr on em2 proto tcp from any to 11.22.33.44 port 80 -> $Server
- # Reflection redirects
- rdr on { em1 WANS } proto tcp from any to 11.22.33.44 port 80 tag PFREFLECT -> 127.0.0.1 port 19000
- rdr on em2 proto tcp from any to 11.22.33.44 port 443 -> $Server
- # Reflection redirects
- rdr on { em1 WANS } proto tcp from any to 11.22.33.44 port 443 tag PFREFLECT -> 127.0.0.1 port 19001
- rdr on em2 proto tcp from any to 11.22.33.44 port 12345 -> $Server port 22
- # Reflection redirects
- rdr on { em1 WANS } proto tcp from any to 11.22.33.44 port 12345 tag PFREFLECT -> 127.0.0.1 port 19002
- rdr on em2 proto { tcp udp } from any to 11.22.33.44 port 50498 -> $Torrents
- # Reflection redirects
- rdr on { em1 WANS } proto { tcp udp } from any to 11.22.33.44 port 50498 tag PFREFLECT -> 127.0.0.1 port 19003
- rdr on em2 proto { tcp udp } from any to 11.22.33.44 port 64738 -> $Server
- # Reflection redirects
- rdr on { em1 WANS } proto { tcp udp } from any to 11.22.33.44 port 64738 tag PFREFLECT -> 127.0.0.1 port 19004
- rdr on em2 proto udp from any to 11.22.33.44 port 9987 -> $Server
- # Reflection redirects
- rdr on { em1 WANS } proto udp from any to 11.22.33.44 port 9987 tag PFREFLECT -> 127.0.0.1 port 19005
- rdr on em2 proto tcp from any to 11.22.33.44 port 10011 -> $Server
- # Reflection redirects
- rdr on { em1 WANS } proto tcp from any to 11.22.33.44 port 10011 tag PFREFLECT -> 127.0.0.1 port 19006
- rdr on em2 proto tcp from any to 11.22.33.44 port 30033 -> $Server
- # Reflection redirects
- rdr on { em1 WANS } proto tcp from any to 11.22.33.44 port 30033 tag PFREFLECT -> 127.0.0.1 port 19007
- rdr on em2 proto tcp from any to 11.22.33.44 port 2234:2239 -> $Server
- # Reflection redirects
- rdr on { em1 WANS } proto tcp from any to 11.22.33.44 port 2234:2239 tag PFREFLECT -> 127.0.0.1 port 19008:19013
- # UPnPd rdr anchor
- rdr-anchor "miniupnpd"
- anchor "relayd/*"
- #---------------------------------------------------------------------------
- # default deny rules
- #---------------------------------------------------------------------------
- block in log all label "Default deny rule"
- block out log all label "Default deny rule"
- # We use the mighty pf, we cannot be fooled.
- block quick proto { tcp, udp } from any port = 0 to any
- block quick proto { tcp, udp } from any to any port = 0
- # Block all IPv6
- block in quick inet6 all
- block out quick inet6 all
- # pfSnortSam
- block quick from <snort2c> to any label "Block snort2c hosts"
- block quick from any to <snort2c> label "Block snort2c hosts"
- block quick from <pfSnortSamout> to any label "Block pfSnortSamOut hosts"
- block quick from any to <pfSnortSamin> label "Block pfSnortSamIn hosts"
- # SSH lockout
- block in log quick proto tcp from <sshlockout> to any port 22 label "sshlockout"
- # webConfigurator lockout
- block in log quick proto tcp from <webConfiguratorlockout> to any port 80 label "webConfiguratorlockout"
- block in quick from <virusprot> to any label "virusprot overload table"
- table <bogons> persist file "/etc/bogons"
- # block bogon networks
- # http://www.cymru.com/Documents/bogon-bn-nonagg.txt
- block in log quick on $UNITYMEDIA from <bogons> to any label "block bogon networks from UNITYMEDIA"
- antispoof for em2
- # allow our DHCP client out to the UNITYMEDIA
- pass in on $UNITYMEDIA proto udp from any port = 67 to any port = 68 label "allow dhcp client out UNITYMEDIA"
- pass out on $UNITYMEDIA proto udp from any port = 68 to any port = 67 label "allow dhcp client out UNITYMEDIA"
- # Not installing DHCP server firewall rules for UNITYMEDIA which is configured for DHCP.
- antispoof for em1
- # allow access to DHCP server on LAN
- pass in on $LAN proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server"
- pass in on $LAN proto udp from any port = 68 to 192.168.1.1 port = 67 label "allow access to DHCP server"
- pass out on $LAN proto udp from 192.168.1.1 port = 67 to any port = 68 label "allow access to DHCP server"
- # block bogon networks
- # http://www.cymru.com/Documents/bogon-bn-nonagg.txt
- block in log quick on $NETCOLOGNE from <bogons> to any label "block bogon networks from NETCOLOGNE"
- antispoof for pppoe0
- # block anything from private networks on interfaces with the option set
- antispoof for $NETCOLOGNE
- block in log quick on $NETCOLOGNE from 10.0.0.0/8 to any label "block private networks from wan block 10/8"
- block in log quick on $NETCOLOGNE from 127.0.0.0/8 to any label "block private networks from wan block 127/8"
- block in log quick on $NETCOLOGNE from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12"
- block in log quick on $NETCOLOGNE from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16"
- # loopback
- pass in on $loopback all label "pass loopback"
- pass out on $loopback all label "pass loopback"
- # let out anything from the firewall host itself and decrypted IPsec traffic
- pass out all keep state allow-opts label "let out anything from firewall host itself"
- pass out route-to ( em2 62.143.96.1 ) from 11.22.33.44 to !62.143.96.0/21 keep state allow-opts label "let out anything from firewall host itself"
- pass out route-to ( pppoe0 195.14.226.7 ) from 44.33.22.11 to !44.33.22.11/32 keep state allow-opts label "let out anything from firewall host itself"
- # make sure the user cannot lock himself out of the webConfigurator or SSH
- pass in quick on em1 proto tcp from any to (em1) port { 80 } keep state label "anti-lockout rule"
- # NAT Reflection rules
- pass in inet tagged PFREFLECT keep state label "NAT REFLECT: Allow traffic to localhost"
- # User-defined rules follow
- anchor "userrules/*"
- pass in quick on $UNITYMEDIA reply-to ( em2 62.143.96.1 ) proto tcp from any to $Server port 80 label "USER_RULE: NAT HTTP"
- pass in quick on $UNITYMEDIA reply-to ( em2 62.143.96.1 ) proto tcp from any to $Server port 443 label "USER_RULE: NAT HTTPS"
- pass in quick on $UNITYMEDIA reply-to ( em2 62.143.96.1 ) proto tcp from any to $Server port 22 label "USER_RULE: NAT SSH"
- pass in quick on $UNITYMEDIA reply-to ( em2 62.143.96.1 ) proto { tcp udp } from any to $Server port 64738 label "USER_RULE: NAT Mumble"
- pass in quick on $UNITYMEDIA reply-to ( em2 62.143.96.1 ) proto udp from any to $Server port 9987 label "USER_RULE: NAT TS3 Voice"
- pass in quick on $UNITYMEDIA reply-to ( em2 62.143.96.1 ) proto tcp from any to $Server port 10011 label "USER_RULE: NAT TS3 Avatars"
- pass in quick on $UNITYMEDIA reply-to ( em2 62.143.96.1 ) proto tcp from any to $Server port 30033 label "USER_RULE: NAT TS3 Files"
- pass in quick on $UNITYMEDIA reply-to ( em2 62.143.96.1 ) proto tcp from any to $Server port 2233 >< 2240 label "USER_RULE: NAT Nicotine"
- pass in quick on $UNITYMEDIA reply-to ( em2 62.143.96.1 ) proto { tcp udp } from any to $Torrents port 50498 label "USER_RULE: NAT Torrents"
- pass in quick on $LAN from 192.168.1.0/24 to any keep state label "USER_RULE: Default allow LAN to any rule"
- # VPN Rules
- anchor "tftp-proxy/*"
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement