Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ### Interfaces ###
- ext ="vr0"
- int ="ale0"
- localnet = $int:network
- ### Hosts ###
- Windows ="192.168.1.33"
- Xbox360 ="192.168.1.4"
- phone ="192.168.1.5"
- WorkSsh ="107.21.121.234"
- webserver = "127.0.0.1"
- mail_smtp = "192.168.1.250"
- devcenter = "192.168.2.222"
- ### Ports ###
- web_ports = "{ http, https }"
- ssh_ports = "{ ssh, 10022 }"
- ### Queues, States and Types ###
- IcmpPing ="icmp-type 8 code 0"
- SshQueue ="(ssh_bulk, ssh_login)"
- SynState ="flags S/SA synproxy state"
- TcpState ="flags S/SA modulate state"
- UdpState ="keep state"
- ### Stateful Tracking Options (STO) ###
- OpenSTO ="(max 90000, source-track rule, max-src-conn 1000, max-src-nodes 256)"
- SmtpSTO ="(max 200, source-track rule, max-src-conn 10, max-src-nodes 256, max-src-conn-rate 200/30)"
- SshSTO ="(max 100, source-track rule, max-src-conn 10, max-src-nodes 100, max-src-conn-rate 100/30, overload <BLOCKTEMP> flush global)"
- WebSTO ="(max 4096, source-track rule, max-src-conn 64, max-src-nodes 512, max-src-conn-rate 500/100, overload <BLOCKTEMP> flush global)"
- ### Tables ###
- table <BLOCKTEMP> counters
- table <BLOCKPERM> counters #file "/somedir/block_permanent"
- table <spamd-white>
- ################ Options ######################################################
- ### Misc Options
- set skip on lo0
- set debug urgent
- set block-policy drop
- set loginterface $ext
- set state-policy if-bound
- set fingerprints "/etc/pf.os"
- set ruleset-optimization none
- ### Timeout Options
- set optimization normal
- set timeout { tcp.closing 60, tcp.established 7200}
- ################ Queueing ####################################################
- # no quality of service (QOS) since it is not supported by the myricom 10gig
- # vr0 interface drivers and we would lose as much as 10% bandwidth anyways.
- # for more information: https://calomel.org/pf_hfsc.html
- ################ Normalization ###############################################
- scrub out log on $ext all random-id set-tos 0x04 fragment reassemble
- scrub log on $ext all reassemble tcp fragment reassemble
- ################ Translation #################################################
- ### NAT and Redirection rules are first match
- # NAT with static NAT for the XBOX360
- nat on $ext from $localnet to any -> ($ext)
- # Apache or Nginx (external users to an internal server?)
- rdr on $ext inet proto tcp from !($ext) to ($ext) port $web_ports -> $webserver
- # OpenSMTPD or Postfix with Spamd
- rdr on $ext inet proto tcp from any to ($ext) port smtp -> $mail_smtp
- # Openssh
- rdr on {$ext, $int} inet proto tcp from any to any port 10022 -> lo0
- rdr on {$ext, $int} inet proto tcp from any to any port 22 -> $devcenter
- # Apache or Nginx (internal webserver for the LAN to localhost?)
- rdr on $int inet proto tcp from !($int) to ($int) port $web_ports -> lo0
- # Bind or Unbound DNS for LAN machines
- rdr on $int inet proto udp from $localnet to $int port domain -> lo0
- # Ntpd time server for the LAN
- rdr on $int inet proto udp from $localnet to $int port ntp -> lo0
- # Anchors
- # rdr-anchor "games"
- # Ftp ( secure ftp-proxy for the internal LAN )
- nat-anchor "ftp-proxy/*"
- rdr-anchor "ftp-proxy/*"
- rdr pass on $int proto tcp from $localnet to any port 21 -> 127.0.0.1 port 8021
- # DENY rouge redirection
- no rdr
- ################ Filtering ###################################################
- # Rules are best (closest) match. Notice we optimized the rules so external
- # interface parsing is first followed by the internal interface.
- ### $ext block abusive hosts in temp and perm tables
- # block drop in log quick on $ext from <BLOCKPERM> to any
- # block drop in log quick on $ext proto udp from <BLOCKTEMP> to any
- # block drop in log quick on $ext proto tcp from <BLOCKTEMP> to any port != ssh
- # block drop in log quick on $ext proto tcp from <BLOCKTEMP> to any port != 10022
- ### $ext default block with drop
- block all
- # block drop in log on $ext
- ### $ext inbound
- pass in log on $ext inet proto tcp from !($ext) to $webserver port $web_ports $TcpState $WebSTO
- # pass in log on $ext inet proto tcp from !($ext) to $webserver port www $TcpState $WebSTO
- pass in log on $ext inet proto tcp from !($ext) to $mail_smtp port smtp $TcpState $SmtpSTO
- #pass in log on $ext inet proto tcp from !<spamd-white> to 10.10.10.200 port spamd $TcpState $SmtpSTO
- pass in log on $ext inet proto tcp from any to lo0 port 10022 $TcpState $SshSTO
- pass in log on $ext inet proto tcp from any to $devcenter port ssh $TcpState $SshSTO
- ### $ext outbound
- pass out log on $ext inet proto tcp from ($ext) to !($ext) $TcpState $OpenSTO
- pass out log on $ext inet proto udp from ($ext) to !($ext) $UdpState $OpenSTO
- pass out log on $ext inet proto icmp from ($ext) to !($ext) $UdpState $OpenSTO
- ### $int default block with return (TCP reset)
- block return in log on $int inet
- ### $int inbound (restrict LAN clients to external machines here)
- # pass in log on $int inet proto tcp from $localnet to any port https $TcpState $OpenSTO
- pass in log on $int inet proto tcp from $localnet to any port $web_ports $TcpState $OpenSTO
- pass in log on $int inet proto tcp from any to lo0 port 10022 $TcpState $OpenSTO
- pass in log on $int inet proto tcp from any to $devcenter port ssh $TcpState $OpenSTO
- pass in log on $int inet proto udp from $localnet to lo0 port domain $UdpState $OpenSTO
- pass in log on $int inet proto udp from $localnet to lo0 port ntp $UdpState $OpenSTO
- pass in log on $int inet proto icmp from $localnet to $int $IcmpPing $UdpState $OpenSTO
- ### $int ftp secure secure proxy for LAN
- anchor "ftp-proxy/*" in on $int inet proto tcp
- ### $int outbound
- pass out log on $int inet proto tcp from $int to $localnet $TcpState
- pass out log on $int inet proto udp from $int to $localnet $UdpState
- pass out log on $int inet proto icmp from $int to $localnet $UdpState
- #allow devcenter
- pass out proto tcp to port ssh
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
