Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ################ OpenBSD pf.conf
- ##########################
- # Required order: options, normalization, queueing, translation, filtering.
- # Note: translation rules are first match while filter rules are last match.
- ################ Macros ###################################
- ### Interfaces ###
- ExtIf="re0"
- IntIf="rl0"
- WifiIf="ral0"
- router_daemons = "{ ssh, 21, smtp, domain, www, pop3, auth, https, pop3s, imap, imaps, 8000, 8080, 5190, 5222, 8004, 8022, 9046, 9622, 7012, 1863, 5050, 6697, 6667, 7000 }"
- client_tcp_services = "{ ssh, smtp, domain, www, pop3, auth, https, pop3s, imap, imaps, 8000, 8080, 5190, 5222, 21 }"
- client_udp_services = "{ domain, bootps, 67 }"
- ### Hosts ###
- HomeSsh="10.0.0.1"
- # WorkSsh="20.10.20.30"
- ### States & Queues ###
- SynState="flags S/SAFR synproxy state"
- TcpState="flags S/SAFR modulate state"
- UdpState="keep state"
- ### Ports ###
- AllowOUT="{21, 80, 443}"
- FtpPort="{21, 8021}"
- IntIfTcpIn="{ 21, 139 }"
- IntIfTcpOut="{ 21, 22, 139}"
- IntIfUdpIn="{ 21, 67, 137, 138}"
- IntIfUdpOut="{ 21, 137, 138}"
- SshPort="8022"
- ### Stateful Tracking Options ###
- ExtIfSTO ="(max 9000, source-track rule, max-src-conn 2000, max-src-nodes 254)"
- IntIfSTO ="(max 250, source-track rule, max-src-conn 100, max-src-nodes 254, max-src-conn-rate 75/20)"
- PostfxSTO ="(max 100, source-track rule, max-src-states 5, max-src-nodes 30, max-src-conn-rate 10/300, overload <BLACKLIST> flush global,
- tcp.established 45)"
- SpamdSTO ="(max 500, source-track rule, max-src-conn 10, max-src-nodes 300, max-src-conn-rate 2/300, tcp.established 10)"
- SshSTO ="(max 10, source-track rule, max-src-states 10, max-src-nodes 5, max-src-conn-rate 20/60, overload <OVERLOAD_SSH> flush global)"
- ################ Tables ####################################
- #-->table <BLACKLIST> persist file "/etc/blacklist"
- #-->table <SLOWQUEUE> persist file "/etc/slowqueue"
- table <OVERLOAD_SSH> persist
- ################ Options ##################################
- # Misc Options
- set debug urgent
- set require-order yes
- set block-policy drop
- set loginterface $ExtIf
- set state-policy if-bound
- set fingerprints "/etc/pf.os"
- set ruleset-optimization none
- # Timeout Options
- set optimization aggressive
- set timeout { frag 10, tcp.established 3600 }
- set timeout { tcp.first 30, tcp.closing 10, tcp.closed 10, tcp.finwait 10 }
- set timeout { udp.first 30, udp.single 30, udp.multiple 30 }
- set timeout { other.first 30, other.single 30, other.multiple 30 }
- set timeout { adaptive.start 5000, adaptive.end 10000 }
- ################ Normalization #############################
- ### Use this line for OpenBSD v4.5 and earlier ONLY!
- #--> scrub log on $ExtIf all random-id min-ttl 254 max-mss 1452 set-tos lowdelay reassemble tcp fragment reassemble
- ################ Queueing ##################################
- # Comcast Upload = 1000Kb/s (queue at 96%)
- # altq on $ExtIf bandwidth 960Kb hfsc queue { ack, dns, ssh, web, mail, bulk, bittor, spamd }
- # queue ack bandwidth 60% priority 8 qlimit 500 hfsc (realtime 50%)
- # queue dns bandwidth 7% priority 7 qlimit 500 hfsc (realtime 5%)
- # queue ssh bandwidth 10% priority 6 qlimit 500 hfsc (realtime 5%) {ssh_login, ssh_bulk}
- # queue ssh_login bandwidth 90% priority 6 qlimit 500 hfsc
- # queue ssh_bulk bandwidth 10% priority 5 qlimit 500 hfsc
- # queue web bandwidth 10% priority 5 qlimit 500 hfsc (realtime 10%)
- # queue mail bandwidth 10% priority 4 qlimit 500 hfsc (realtime 5%)
- # queue bulk bandwidth 1% priority 3 qlimit 500 hfsc (realtime 5% default)
- # queue bittor bandwidth 1% priority 2 qlimit 500 hfsc (upperlimit 92%)
- # queue spamd bandwidth 1% priority 1 qlimit 500 hfsc (upperlimit 3Kb)
- ################ Translation ###############################
- no rdr on lo0 from any to any
- #--> nat on egress from $Xbox360 to any tag EGRESS -> ($ExtIf:0) static-port
- nat on egress from $WifiIf:network to any tag EGRESS -> ($ExtIf:0) port 1024:65535
- nat on egress from $IntIf:network to any tag EGRESS -> ($ExtIf:0) port 1024:65535
- # Named ( bind dns )
- rdr on $IntIf inet proto udp from $IntIf:network to $IntIf port domain tag BINDNS -> lo0 port domain
- rdr on $WifiIf inet proto udp from $WifiIf:network to $WifiIf port domain tag BINDNS -> lo0 port domain
- # Ntpd ( time server )
- rdr on $IntIf inet proto udp from $IntIf:network to $IntIf port ntp tag NTPD -> lo0 port ntp
- rdr on $WifiIf inet proto udp from $WifiIf:network to $WifiIf port ntp tag NTPD -> lo0 port ntp
- # Openssh
- # rdr on $ExtIf inet proto tcp from $WorkSsh to ($ExtIf) port ssh tag OPENSSH -> lo0 port $SshPort
- rdr on $IntIf inet proto tcp from $HomeSsh to $IntIf port ssh tag OPENSSH -> lo0 port $SshPort
- rdr on $WifiIf inet proto tcp from $HomeSsh to $WifiIf port ssh tag OPENSSH -> lo0 port $SshPort
- # Ftp ( secure ftp-proxy for the internal LAN )
- #--> nat-anchor "ftp-proxy/*"
- #--> rdr-anchor "ftp-proxy/*"
- #--> rdr on $IntIf inet proto tcp from $IntIf:network to any port ftp -> lo0 port $FtpPort
- #--> rdr on $WifiIf inet proto tcp from $WifiIf:network to any port ftp -> lo0 port $FtpPort
- # Postfix/Sendmail/Qmail ( external mail to mail server and spamd )
- rdr on $ExtIf inet proto tcp from <spamd-white> to ($ExtIf) port smtp tag MAIL -> lo0 port smtp
- rdr on $ExtIf inet proto tcp from !<spamd-white> to ($ExtIf) port smtp tag SPAMD -> lo0 port spamd
- # Games (rdr to windows box)
- #--> rdr-anchor "games"
- # DENY rouge redirections
- no rdr
- ################ Filtering #################################
- ### Use this line for OpenBSD v4.6 and later ONLY
- ## Packet normalization ("scrubbing")
- ### match on $ExtIf all scrub (random-id min-ttl 254 set-tos lowdelay reassemble tcp max-mss 1452)
- match on $ExtIf all scrub (random-id min-ttl 254 set-tos lowdelay reassemble tcp max-mss 1452)
- ### match on $ExtIf all scrub (random-id min-ttl 254 set-tos lowdelay reassemble tcp max-mss 1452)
- # Deny spoofed packets
- antispoof log quick for { lo0 $IntIf ($ExtIf) }
- antispoof log quick for { lo0 $WifiIf ($ExtIf) }
- # Samba broadcast fix
- pass log quick on $IntIf inet proto udp from $IntIf:network to $IntIf:broadcast port $IntIfUdpOut $UdpState $IntIfSTO
- pass log quick on $WifiIf inet proto udp from $WifiIf:network to $WifiIf:broadcast port $IntIfUdpOut $UdpState $IntIfSTO
- # Block to/from illegal sources/destinations
- block in log quick from no-route to any
- #-->block in log quick on $ExtIf from <SLOWQUEUE> to any probability 97%
- #-->block in quick on $ExtIf from <BLACKLIST> to any
- block in quick on $ExtIf inet proto tcp from <OVERLOAD_SSH> to any port $SshPort
- block in quick on $ExtIf from any to 255.255.255.255
- #-->block return in quick on $IntIf from any to <BLACKLIST>
- #-->block return in quick on $WifiIf from any to <BLACKLIST>
- block return in quick on $IntIf from any to 224.0.0.1
- block return in quick on $WifiIf from any to 224.0.0.1
- block quick inet6
- # BLOCK all in/out on all interfaces and log by default
- block log on $ExtIf
- block return log on $IntIf
- block return log on $WifiIf
- # CARP firewall failover ( https://calomel.org/pf_carp.html )
- #--> pass on $CarpIf inet proto pfsync keep state
- #--> pass on { $ExtIf, $IntIf } inet proto carp keep state
- # Ftp ( secure ftp-proxy )
- #--> anchor "ftp-proxy/*"
- # Games (rules for games on windows box)
- #--> anchor "games"
- # $ExtIf inbound
- #--> pass in log on $ExtIf inet proto icmp from any to ($ExtIf) icmp-type 8 code 0 $UdpState
- #--> pass in log on $ExtIf inet proto tcp from $WorkSsh to lo0 port $SshPort $SynState $SshSTO queue (ssh_login, ssh_bulk) tagged OPENSSH
- pass in log on $ExtIf inet proto tcp from <spamd-white> to lo0 port smtp $SynState $PostfxSTO queue (mail, ack) tagged MAIL
- pass in log on $ExtIf inet proto tcp from !<spamd-white> to lo0 port spamd $SynState $PostfxSTO queue (spamd) tagged SPAMD
- # $IntIf outbound
- pass out log on $IntIf inet proto tcp from $IntIf to $IntIf:network port $IntIfTcpOut $TcpState
- pass out log on $WifiIf inet proto tcp from $WifiIf to $WifiIf:network port $IntIfTcpOut $TcpState
- pass out log on $IntIf inet proto udp from $IntIf to $IntIf:network port $IntIfUdpOut $UdpState
- pass out log on $WifiIf inet proto udp from $WifiIf to $WifiIf:network port $IntIfUdpOut $UdpState
- pass out log on $IntIf inet proto icmp from $IntIf to $IntIf:network icmp-type 8 code 0 $UdpState
- pass out log on $WifiIf inet proto icmp from $WifiIf to $WifiIf:network icmp-type 8 code 0 $UdpState
- # $IntIf inbound
- pass in log on $ExtIf inet proto tcp from $ExtIf:network to lo0 port $FtpPort $TcpState $IntIfSTO
- pass in log on $IntIf inet proto tcp from $IntIf:network to lo0 port $FtpPort $TcpState $IntIfSTO
- pass in log on $WifiIf inet proto tcp from $WifiIf:network to lo0 port $FtpPort $TcpState $IntIfSTO
- pass in log on $IntIf inet proto tcp from $IntIf:network to $IntIf port $IntIfTcpIn $TcpState $IntIfSTO
- pass in log on $WifiIf inet proto tcp from $WifiIf:network to $WifiIf port $IntIfTcpIn $TcpState $IntIfSTO
- pass in log on $IntIf inet proto tcp from $IntIf:network to !$IntIf port $AllowOUT $TcpState $ExtIfSTO
- pass in log on $WifiIf inet proto tcp from $WifiIf:network to !$IntIf port $AllowOUT $TcpState $ExtIfSTO
- pass in log on $IntIf inet proto tcp from $HomeSsh to lo0 port $SshPort $TcpState $IntIfSTO tagged OPENSSH
- pass in log on $WifiIf inet proto tcp from $HomeSsh to lo0 port $SshPort $TcpState $IntIfSTO tagged OPENSSH
- pass in log on $IntIf inet proto udp from $IntIf:network to lo0 port domain $UdpState $IntIfSTO tagged BINDNS
- pass in log on $WifiIf inet proto udp from $WifiIf:network to lo0 port domain $UdpState $IntIfSTO tagged BINDNS
- pass in log on $IntIf inet proto udp from $IntIf:network to lo0 port ntp $UdpState $IntIfSTO tagged NTPD
- pass in log on $WifiIf inet proto udp from $WifiIf:network to lo0 port ntp $UdpState $IntIfSTO tagged NTPD
- pass in log on $IntIf inet proto udp from $IntIf:network to $IntIf port $IntIfUdpIn $UdpState $IntIfSTO
- pass in log on $WifiIf inet proto udp from $WifiIf:network to $WifiIf port $IntIfUdpIn $UdpState $IntIfSTO
- pass in log on $IntIf inet proto icmp from $IntIf:network to $IntIf icmp-type 8 code 0 $UdpState $IntIfSTO
- pass in log on $WifiIf inet proto icmp from $WifiIf:network to $WifiIf icmp-type 8 code 0 $UdpState $IntIfSTO
- # $ExtIf outbound
- pass out log on $ExtIf inet proto tcp from ($ExtIf) to any $TcpState $ExtIfSTO queue (bulk, ack) tagged EGRESS
- pass out log on $ExtIf inet proto tcp from ($ExtIf) to any port ssh $TcpState $ExtIfSTO queue (ssh_login, ssh_bulk) tagged EGRESS
- pass out log on $ExtIf inet proto udp from ($ExtIf) to any $UdpState $ExtIfSTO queue (bulk) tagged EGRESS
- pass out log on $ExtIf inet proto udp from ($ExtIf) to any port domain $UdpState $ExtIfSTO queue (dns) tagged EGRESS
- pass out log on $ExtIf inet proto icmp from ($ExtIf) to any $UdpState $ExtIfSTO queue (bulk) tagged EGRESS
- pass out on $ExtIf proto udp to any port $client_udp_services
- pass out on $ExtIf proto tcp to any port $client_tcp_services
- pass proto icmp
- pass quick inet proto { tcp, udp } to any port $router_daemons
- pass in quick on $WifiIf inet proto tcp from any to ($WifiIf) port 51499
- pass out quick on $WifiIf inet proto tcp from any to ($WifiIf) port 51499
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement