API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Apr 4th, 2012
69
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 11.55 KB | None | 0 0
raw download clone embed print report
  1. ################ OpenBSD pf.conf
  2. ##########################
  3. # Required order: options, normalization, queueing, translation, filtering.
  4. # Note: translation rules are first match while filter rules are last match.
  5. ################ Macros ###################################
  6.  
  7. ### Interfaces ###
  8. ExtIf="re0"
  9. IntIf="rl0"
  10. WifiIf="ral0"
  11.  
  12.  
  13. router_daemons = "{ ssh, 21, smtp, domain, www, pop3, auth, https, pop3s, imap, imaps, 8000, 8080, 5190, 5222, 8004, 8022, 9046, 9622, 7012, 1863, 5050, 6697, 6667, 7000 }"
  14. client_tcp_services = "{ ssh, smtp, domain, www, pop3, auth, https, pop3s, imap, imaps, 8000, 8080, 5190, 5222, 21 }"
  15. client_udp_services = "{ domain, bootps, 67 }"
  16.  
  17.  
  18. ### Hosts ###
  19. HomeSsh="10.0.0.1"
  20. # WorkSsh="20.10.20.30"
  21.  
  22. ### States & Queues ###
  23. SynState="flags S/SAFR synproxy state"
  24. TcpState="flags S/SAFR modulate state"
  25. UdpState="keep state"
  26.  
  27. ### Ports ###
  28. AllowOUT="{21, 80, 443}"
  29. FtpPort="{21, 8021}"
  30. IntIfTcpIn="{ 21, 139 }"
  31. IntIfTcpOut="{ 21, 22, 139}"
  32. IntIfUdpIn="{ 21, 67, 137, 138}"
  33. IntIfUdpOut="{ 21, 137, 138}"
  34. SshPort="8022"
  35.  
  36. ### Stateful Tracking Options ###
  37. ExtIfSTO ="(max 9000, source-track rule, max-src-conn 2000, max-src-nodes 254)"
  38. IntIfSTO ="(max 250, source-track rule, max-src-conn 100, max-src-nodes 254, max-src-conn-rate 75/20)"
  39. PostfxSTO ="(max 100, source-track rule, max-src-states 5, max-src-nodes 30, max-src-conn-rate 10/300, overload <BLACKLIST> flush global,
  40. tcp.established 45)"
  41. SpamdSTO ="(max 500, source-track rule, max-src-conn 10, max-src-nodes 300, max-src-conn-rate 2/300, tcp.established 10)"
  42. SshSTO ="(max 10, source-track rule, max-src-states 10, max-src-nodes 5, max-src-conn-rate 20/60, overload <OVERLOAD_SSH> flush global)"
  43.  
  44. ################ Tables ####################################
  45. #-->table <BLACKLIST> persist file "/etc/blacklist"
  46. #-->table <SLOWQUEUE> persist file "/etc/slowqueue"
  47. table <OVERLOAD_SSH> persist
  48.  
  49. ################ Options ##################################
  50. # Misc Options
  51. set debug urgent
  52. set require-order yes
  53. set block-policy drop
  54. set loginterface $ExtIf
  55. set state-policy if-bound
  56. set fingerprints "/etc/pf.os"
  57. set ruleset-optimization none
  58.  
  59. # Timeout Options
  60. set optimization aggressive
  61. set timeout { frag 10, tcp.established 3600 }
  62. set timeout { tcp.first 30, tcp.closing 10, tcp.closed 10, tcp.finwait 10 }
  63. set timeout { udp.first 30, udp.single 30, udp.multiple 30 }
  64. set timeout { other.first 30, other.single 30, other.multiple 30 }
  65. set timeout { adaptive.start 5000, adaptive.end 10000 }
  66.  
  67. ################ Normalization #############################
  68. ### Use this line for OpenBSD v4.5 and earlier ONLY!
  69. #--> scrub log on $ExtIf all random-id min-ttl 254 max-mss 1452 set-tos lowdelay reassemble tcp fragment reassemble
  70.  
  71. ################ Queueing ##################################
  72. # Comcast Upload = 1000Kb/s (queue at 96%)
  73. # altq on $ExtIf bandwidth 960Kb hfsc queue { ack, dns, ssh, web, mail, bulk, bittor, spamd }
  74. # queue ack bandwidth 60% priority 8 qlimit 500 hfsc (realtime 50%)
  75. # queue dns bandwidth 7% priority 7 qlimit 500 hfsc (realtime 5%)
  76. # queue ssh bandwidth 10% priority 6 qlimit 500 hfsc (realtime 5%) {ssh_login, ssh_bulk}
  77. # queue ssh_login bandwidth 90% priority 6 qlimit 500 hfsc
  78. # queue ssh_bulk bandwidth 10% priority 5 qlimit 500 hfsc
  79. # queue web bandwidth 10% priority 5 qlimit 500 hfsc (realtime 10%)
  80. # queue mail bandwidth 10% priority 4 qlimit 500 hfsc (realtime 5%)
  81. # queue bulk bandwidth 1% priority 3 qlimit 500 hfsc (realtime 5% default)
  82. # queue bittor bandwidth 1% priority 2 qlimit 500 hfsc (upperlimit 92%)
  83. # queue spamd bandwidth 1% priority 1 qlimit 500 hfsc (upperlimit 3Kb)
  84.  
  85. ################ Translation ###############################
  86. no rdr on lo0 from any to any
  87. #--> nat on egress from $Xbox360 to any tag EGRESS -> ($ExtIf:0) static-port
  88. nat on egress from $WifiIf:network to any tag EGRESS -> ($ExtIf:0) port 1024:65535
  89. nat on egress from $IntIf:network to any tag EGRESS -> ($ExtIf:0) port 1024:65535
  90.  
  91. # Named ( bind dns )
  92. rdr on $IntIf inet proto udp from $IntIf:network to $IntIf port domain tag BINDNS -> lo0 port domain
  93. rdr on $WifiIf inet proto udp from $WifiIf:network to $WifiIf port domain tag BINDNS -> lo0 port domain
  94.  
  95. # Ntpd ( time server )
  96. rdr on $IntIf inet proto udp from $IntIf:network to $IntIf port ntp tag NTPD -> lo0 port ntp
  97. rdr on $WifiIf inet proto udp from $WifiIf:network to $WifiIf port ntp tag NTPD -> lo0 port ntp
  98.  
  99. # Openssh
  100. # rdr on $ExtIf inet proto tcp from $WorkSsh to ($ExtIf) port ssh tag OPENSSH -> lo0 port $SshPort
  101. rdr on $IntIf inet proto tcp from $HomeSsh to $IntIf port ssh tag OPENSSH -> lo0 port $SshPort
  102. rdr on $WifiIf inet proto tcp from $HomeSsh to $WifiIf port ssh tag OPENSSH -> lo0 port $SshPort
  103.  
  104. # Ftp ( secure ftp-proxy for the internal LAN )
  105. #--> nat-anchor "ftp-proxy/*"
  106. #--> rdr-anchor "ftp-proxy/*"
  107. #--> rdr on $IntIf inet proto tcp from $IntIf:network to any port ftp -> lo0 port $FtpPort
  108. #--> rdr on $WifiIf inet proto tcp from $WifiIf:network to any port ftp -> lo0 port $FtpPort
  109.  
  110. # Postfix/Sendmail/Qmail ( external mail to mail server and spamd )
  111. rdr on $ExtIf inet proto tcp from <spamd-white> to ($ExtIf) port smtp tag MAIL -> lo0 port smtp
  112. rdr on $ExtIf inet proto tcp from !<spamd-white> to ($ExtIf) port smtp tag SPAMD -> lo0 port spamd
  113.  
  114. # Games (rdr to windows box)
  115. #--> rdr-anchor "games"
  116.  
  117. # DENY rouge redirections
  118. no rdr
  119.  
  120.  
  121. ################ Filtering #################################
  122.  
  123. ### Use this line for OpenBSD v4.6 and later ONLY
  124. ## Packet normalization ("scrubbing")
  125. ### match on $ExtIf all scrub (random-id min-ttl 254 set-tos lowdelay reassemble tcp max-mss 1452)
  126. match on $ExtIf all scrub (random-id min-ttl 254 set-tos lowdelay reassemble tcp max-mss 1452)
  127. ### match on $ExtIf all scrub (random-id min-ttl 254 set-tos lowdelay reassemble tcp max-mss 1452)
  128.  
  129. # Deny spoofed packets
  130. antispoof log quick for { lo0 $IntIf ($ExtIf) }
  131. antispoof log quick for { lo0 $WifiIf ($ExtIf) }
  132.  
  133. # Samba broadcast fix
  134. pass log quick on $IntIf inet proto udp from $IntIf:network to $IntIf:broadcast port $IntIfUdpOut $UdpState $IntIfSTO
  135. pass log quick on $WifiIf inet proto udp from $WifiIf:network to $WifiIf:broadcast port $IntIfUdpOut $UdpState $IntIfSTO
  136.  
  137. # Block to/from illegal sources/destinations
  138. block in log quick from no-route to any
  139. #-->block in log quick on $ExtIf from <SLOWQUEUE> to any probability 97%
  140. #-->block in quick on $ExtIf from <BLACKLIST> to any
  141. block in quick on $ExtIf inet proto tcp from <OVERLOAD_SSH> to any port $SshPort
  142. block in quick on $ExtIf from any to 255.255.255.255
  143. #-->block return in quick on $IntIf from any to <BLACKLIST>
  144. #-->block return in quick on $WifiIf from any to <BLACKLIST>
  145. block return in quick on $IntIf from any to 224.0.0.1
  146. block return in quick on $WifiIf from any to 224.0.0.1
  147. block quick inet6
  148.  
  149. # BLOCK all in/out on all interfaces and log by default
  150. block log on $ExtIf
  151. block return log on $IntIf
  152. block return log on $WifiIf
  153.  
  154. # CARP firewall failover ( https://calomel.org/pf_carp.html )
  155. #--> pass on $CarpIf inet proto pfsync keep state
  156. #--> pass on { $ExtIf, $IntIf } inet proto carp keep state
  157.  
  158. # Ftp ( secure ftp-proxy )
  159. #--> anchor "ftp-proxy/*"
  160.  
  161. # Games (rules for games on windows box)
  162. #--> anchor "games"
  163.  
  164. # $ExtIf inbound
  165. #--> pass in log on $ExtIf inet proto icmp from any to ($ExtIf) icmp-type 8 code 0 $UdpState
  166. #--> pass in log on $ExtIf inet proto tcp from $WorkSsh to lo0 port $SshPort $SynState $SshSTO queue (ssh_login, ssh_bulk) tagged OPENSSH
  167. pass in log on $ExtIf inet proto tcp from <spamd-white> to lo0 port smtp $SynState $PostfxSTO queue (mail, ack) tagged MAIL
  168. pass in log on $ExtIf inet proto tcp from !<spamd-white> to lo0 port spamd $SynState $PostfxSTO queue (spamd) tagged SPAMD
  169.  
  170. # $IntIf outbound
  171. pass out log on $IntIf inet proto tcp from $IntIf to $IntIf:network port $IntIfTcpOut $TcpState
  172. pass out log on $WifiIf inet proto tcp from $WifiIf to $WifiIf:network port $IntIfTcpOut $TcpState
  173.  
  174. pass out log on $IntIf inet proto udp from $IntIf to $IntIf:network port $IntIfUdpOut $UdpState
  175. pass out log on $WifiIf inet proto udp from $WifiIf to $WifiIf:network port $IntIfUdpOut $UdpState
  176.  
  177. pass out log on $IntIf inet proto icmp from $IntIf to $IntIf:network icmp-type 8 code 0 $UdpState
  178. pass out log on $WifiIf inet proto icmp from $WifiIf to $WifiIf:network icmp-type 8 code 0 $UdpState
  179.  
  180. # $IntIf inbound
  181. pass in log on $ExtIf inet proto tcp from $ExtIf:network to lo0 port $FtpPort $TcpState $IntIfSTO
  182. pass in log on $IntIf inet proto tcp from $IntIf:network to lo0 port $FtpPort $TcpState $IntIfSTO
  183. pass in log on $WifiIf inet proto tcp from $WifiIf:network to lo0 port $FtpPort $TcpState $IntIfSTO
  184.  
  185. pass in log on $IntIf inet proto tcp from $IntIf:network to $IntIf port $IntIfTcpIn $TcpState $IntIfSTO
  186. pass in log on $WifiIf inet proto tcp from $WifiIf:network to $WifiIf port $IntIfTcpIn $TcpState $IntIfSTO
  187.  
  188. pass in log on $IntIf inet proto tcp from $IntIf:network to !$IntIf port $AllowOUT $TcpState $ExtIfSTO
  189. pass in log on $WifiIf inet proto tcp from $WifiIf:network to !$IntIf port $AllowOUT $TcpState $ExtIfSTO
  190.  
  191. pass in log on $IntIf inet proto tcp from $HomeSsh to lo0 port $SshPort $TcpState $IntIfSTO tagged OPENSSH
  192. pass in log on $WifiIf inet proto tcp from $HomeSsh to lo0 port $SshPort $TcpState $IntIfSTO tagged OPENSSH
  193.  
  194. pass in log on $IntIf inet proto udp from $IntIf:network to lo0 port domain $UdpState $IntIfSTO tagged BINDNS
  195. pass in log on $WifiIf inet proto udp from $WifiIf:network to lo0 port domain $UdpState $IntIfSTO tagged BINDNS
  196.  
  197. pass in log on $IntIf inet proto udp from $IntIf:network to lo0 port ntp $UdpState $IntIfSTO tagged NTPD
  198. pass in log on $WifiIf inet proto udp from $WifiIf:network to lo0 port ntp $UdpState $IntIfSTO tagged NTPD
  199.  
  200. pass in log on $IntIf inet proto udp from $IntIf:network to $IntIf port $IntIfUdpIn $UdpState $IntIfSTO
  201. pass in log on $WifiIf inet proto udp from $WifiIf:network to $WifiIf port $IntIfUdpIn $UdpState $IntIfSTO
  202.  
  203. pass in log on $IntIf inet proto icmp from $IntIf:network to $IntIf icmp-type 8 code 0 $UdpState $IntIfSTO
  204. pass in log on $WifiIf inet proto icmp from $WifiIf:network to $WifiIf icmp-type 8 code 0 $UdpState $IntIfSTO
  205.  
  206. # $ExtIf outbound
  207. pass out log on $ExtIf inet proto tcp from ($ExtIf) to any $TcpState $ExtIfSTO queue (bulk, ack) tagged EGRESS
  208. pass out log on $ExtIf inet proto tcp from ($ExtIf) to any port ssh $TcpState $ExtIfSTO queue (ssh_login, ssh_bulk) tagged EGRESS
  209. pass out log on $ExtIf inet proto udp from ($ExtIf) to any $UdpState $ExtIfSTO queue (bulk) tagged EGRESS
  210. pass out log on $ExtIf inet proto udp from ($ExtIf) to any port domain $UdpState $ExtIfSTO queue (dns) tagged EGRESS
  211. pass out log on $ExtIf inet proto icmp from ($ExtIf) to any $UdpState $ExtIfSTO queue (bulk) tagged EGRESS
  212.  
  213.  
  214.  
  215. pass out on $ExtIf proto udp to any port $client_udp_services
  216. pass out on $ExtIf proto tcp to any port $client_tcp_services
  217.  
  218. pass proto icmp
  219. pass quick inet proto { tcp, udp } to any port $router_daemons
  220.  
  221. pass in quick on $WifiIf inet proto tcp from any to ($WifiIf) port 51499
  222. pass out quick on $WifiIf inet proto tcp from any to ($WifiIf) port 51499
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!