Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ext_if = "em0"
- set fingerprints "/etc/pf.os"
- scrub in on $ext_if all fragment reassemble
- block all
- set skip on lo0
- antispoof for $ext_if inet
- icmp_types= "{echoreq, unreach}"
- icmp6_types = "{ unreach, toobig, timex, paramprob, echoreq, echorep, neighbradv, neighbrsol, routeradv, routersol }"
- block in quick on $ext_if proto tcp flags FUP/WEUAPRSF
- block in quick on $ext_if proto tcp flags WEUAPRSF/WEUAPRSF
- block in quick on $ext_if proto tcp flags SRAFU/WEUAPRSF
- block in quick on $ext_if proto tcp flags /WEUAPRSF
- block in quick on $ext_if proto tcp flags SR/SR
- block in quick on $ext_if proto tcp flags SF/SF
- block in quick on $ext_if proto tcp from any to any flags FUP/FUP
- block in log quick on $ext_if from any os "NMAP" to any label NMAPScan
- pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state
- pass out on $ext_if inet6 proto { tcp, udp, icmp6 } from any to any modulate state
- pass in on $ext_if proto tcp from any to any port ssh flags S/SA synproxy state
- pass in on $ext_if proto tcp from any to any port smtp flags S/SA synproxy state
- pass in on $ext_if proto tcp from any to any port http flags S/SA synproxy state
- pass in on $ext_if proto tcp from any to any port https flags S/SA synproxy state
- pass in on $ext_if proto tcp from any to any port imap flags S/SA synproxy state
- pass in on $ext_if proto tcp from any to any port domain flags S/SA synproxy state
- pass in on $ext_if proto tcp from any to any port submission flags S/SA synproxy state
- pass in on $ext_if proto udp from any to any port domain
- pass in on $ext_if inet6 proto tcp from any to any port ssh flags S/SA synproxy state
- pass in on $ext_if inet6 proto tcp from any to any port smtp flags S/SA synproxy state
- pass in on $ext_if inet6 proto tcp from any to any port http flags S/SA synproxy state
- pass in on $ext_if inet6 proto tcp from any to any port https flags S/SA synproxy state
- pass in on $ext_if inet6 proto tcp from any to any port imap flags S/SA synproxy state
- pass in on $ext_if inet6 proto tcp from any to any port domain flags S/SA synproxy state
- pass in on $ext_if inet6 proto tcp from any to any port submission flags S/SA synproxy state
- pass in on $ext_if inet6 proto udp from any to any port domain
- pass in inet proto icmp all icmp-type $icmp_types keep state
- pass in inet6 proto icmp6 all icmp6-type $icmp6_types keep state
- table <sshguard> persist
- block in quick on $ext_if proto tcp from <sshguard> to any port 22 label "ssh bruteforce"
- anchor "emerging-threats"
- load anchor "emerging-threats" from "/etc/emerging-PF-ALL.rules"
Add Comment
Please, Sign In to add comment