Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ext_if="em0" # replace with actual external interface name i.e., dc0
- extmail="88.212.205.9"
- mailtrap="88.212.205.8"
- mysql="88.212.204.52"
- postgres="88.212.205.9"
- tacchat="88.212.205.4"
- devel="88.212.205.4"
- main="88.212.205.9"
- clients_mail="$clients_mail"
- table <devel> { $devel, 88.212.205.14 }
- table <mail> { $extmail, $mailtrap, 88.212.205.2 }
- table <users> { 88.212.205.6, 88.212.205.7 }
- table <infotel> const { 195.170.192.0/19, 213.165.192.0/19 }
- table <galaxy> const { 148.251.68.252/32 }
- table <me> const { 88.212.204.48/28, 88.212.205.0/28 }
- table <test_ddos> persist
- table <bot> persist
- table <sshguard> persist
- table <totalblock> persist
- # Options: tune the behavior of pf, default values are given.
- #set timeout { interval 10, frag 30 }
- #set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
- #set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
- #set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
- #set timeout { icmp.first 20, icmp.error 10 }
- #set timeout { other.first 60, other.single 30, other.multiple 60 }
- #set timeout { adaptive.start 0, adaptive.end 0 }
- set limit { states 50000, frags 20000, src-nodes 20000 }
- set limit table-entries 200000
- set skip on lo0
- set skip on epair2a
- set skip on bridge0
- set skip on bridge1
- #set loginterface none
- #set optimization normal
- set block-policy return
- #set require-order yes
- #set fingerprints "/etc/pf.os"
- scrub in all
- table <zombie> file "/etc/pf/zombie" persist
- table <spamd> persist
- table <spamd-white> persist
- table <spamd-mywhite> persist file "/usr/local/etc/spamd/mywhite"
- # Filtering: the implicit first two rules are
- #pass in all
- #pass out all
- no rdr on { lo0, lo1 } from any to any
- no rdr inet proto tcp from { 88.212.204.48/28, 88.212.205.0/28} to {88.212.204.48/28, 88.212.205.0/28}
- no rdr on $ext_if inet proto tcp from <zombie> to any
- nat on $ext_if inet from 172.16.145.0/24 to any -> $devel
- nat on $ext_if inet from 10.145.1.13/32 to any -> ($ext_if)
- nat on $ext_if inet from 10.0.0.0/8 to !<me> -> ($ext_if:0)
- rdr pass on $ext_if inet proto tcp from <spamd-white> to <mail> port smtp -> $extmail port smtp
- rdr pass on $ext_if inet proto tcp from <spamd> to <mail> port smtp -> 127.0.0.1 port spamd
- rdr pass on $ext_if inet proto tcp from !<spamd-mywhite> to <mail> port smtp -> 127.0.0.1 port spamd
- rdr pass on $ext_if inet proto tcp from any to $main port 4443 -> 91.238.120.141 port 443
- #block in log on $ext_if proto tcp from ! <russia> to $main port 80
- pass quick on lo0
- pass in quick on $ext_if to $devel
- pass in on $ext_if from 195.170.218.45
- pass in quick on $ext_if proto tcp from { 88.212.205.7, 88.212.205.12 } to ($ext_if) port smtp keep state
- pass in quick on $ext_if proto tcp to { 88.212.205.2 } port submission keep state
- block in log on $ext_if
- pass out
- pass in proto udp to port { domain, ntp, openvpn }
- pass in on $ext_if proto tcp to port { domain, ftp, ftp-data, ssh, smtp, http, https, submission, pop3, pop3s, imap, imaps, openvpn, 4949, 3128, 1080, 4443, 3000, pptp }
- pass in on $ext_if proto tcp to <devel> port 3000:3100
- pass in on $ext_if proto tcp to <devel> port 8000:8100
- pass in on $ext_if proto tcp to $mysql port mysql
- pass in on $ext_if proto tcp to $postgres port postgresql
- block drop in log quick from <sshguard>
- block log on $ext_if from <totalblock>
- block drop in quick on $ext_if proto tcp from <zombie> to <mail> port smtp
- block drop in quick on $ext_if proto tcp from <zombie> to <mail> port submission
- block in log quick on $ext_if proto tcp from <sshguard> to any port 22 label "ssh sshguard"
- pass in on $ext_if inet proto tcp from any to <mail> port smtp flags S/SA keep state
- pass out on $ext_if inet proto tcp from 88.212.205.2 to any port smtp flags S/SA keep state
- pass in on $ext_if inet proto tcp from any to ($ext_if) port http flags S/SA
- block out quick log proto tcp from 88.212.205.5 to any port { 80, 5567 } user 11068
- block out quick log on $ext_if proto tcp from <users> to any port smtp flags S/SA
- block in quick log on $ext_if proto tcp from any to <users> port > 20000 flags S/SA
- block out quick log on $ext_if proto tcp from <users> to any port > 1024 user 10657 flags S/SA
- block out log on $ext_if proto tcp from 88.212.205.12 to any port smtp
- block in log on $ext_if proto tcp to any port { 5433, 11211 }
- block in log on $ext_if proto tcp to { 88.212.205.6, 88.212.205.5 } port mysql
- block in log on $ext_if proto tcp to port 9000:10000
- block in log on $ext_if proto tcp to any port { 25672, 5672, 10024, 783, 6379 }
- block in log on $ext_if proto udp to any port 59721
- block in log on $ext_if proto { tcp, udp } to any port 1080
- pass in from <infotel>
- pass in from <me>
- pass in from <galaxy>
- pass in on $ext_if proto icmp
- pass in proto { tcp, udp } to port 4569
- pass in on $ext_if from 195.170.218.45
- pass in on $ext_if to $clients_mail
- pass in on $ext_if proto tcp to $tacchat port ircd
- pass in on $ext_if proto { tcp, udp } to port { 3478, 3479 }
- pass in on $ext_if proto udp to port 49152:65535
- pass in on $ext_if from 109.252.33.32
- pass in on $ext_if proto { tcp, udp } to $main port { 138, 139, 445 }
- pass in on $ext_if from 91.232.135.246
- pass in on $ext_if proto tcp to $devel port { http, https, 5173 }
- # rabbitmq
- block in on $ext_if proto tcp to port { 4369, 25672 }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement