# pre-OpenBSD 4.7## cat /usr/src/UPDATING | grep OpenBSD## https://www.f

1. # pre-OpenBSD 4.7
2. #
3. # cat /usr/src/UPDATING | grep OpenBSD
4. #
5. # https://www.freebsd.org/doc/handbook/firewalls-pf.html
6. # http://www.undeadly.org/cgi?action=article&sid=20060927091645
7. # https://calomel.org/pf_config.html
8. # https://calomel.org/pf_hfsc.html
9. # http://dant.net.ru/calomel/pf_config.html
10. # http://microsux.dk/?p=321
11. # https://ackspace.nl/wiki/OpenBSD_Firewall_/_PF
12. # http://prefetch.net/articles/monitoringpf.html
13. # http://www.skeptech.org/blog/2013/01/15/pf-limits-in-openbsd
14. # https://www.packetmischief.ca/2011/02/17/hitting-the-pf-state-table-limit
15. #
16. # PF understands rules using port names equally well as it does port numbers.
17. # The names are the ones listed in /etc/services.
18. # http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml
19. # http://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml
20. # http://www.iana.org/assignments/icmpv6-parameters/icmpv6-parameters.xhtml
21.  
22. #-------------------------------------------------------------------------------
23. # (1) PF: List and Macros
24. #-------------------------------------------------------------------------------
25.  
26. # Interfaces
27. ext_if = "bge0" # macro for external interface - use tun0 for PPPoE
28. int_if = "bge1" # macro for internal interface
29. dmz_if = "bge2" # macro for dmz interface
30. vpn_if = "tap0" # macro for OpenVPN interface
31.  
32. # External IP address
33. ext_ipv4 = "181.143.123.123"
34. ext_ipv6 = "2800:e7:a8:6123::4"
35.  
36. # Internet Control Message Protocol (ICMP) Parameters
37. # http://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml
38. icmp_types = "{ 0, 3, 8, 11, 12 }"
39. #
40. # Internet Control Message Protocol version 6 (ICMPv6) Parameters
41. # http://www.iana.org/assignments/icmpv6-parameters/icmpv6-parameters.xhtml
42. icmp6_types = "{ 1, 3, 4, 128, 133, 134, 135, 136 }"
43.  
44. # External Ports
45. ext_ports_tcp = "{ ssh, ntp, 9001, 9030, 9091 }"
46. ext_ports_udp = "{ ntp, openvpn }"
47.  
48. # Internal Ports
49. int_ports_tcp = "{ domain, bootps, dhcpv6-server, ntp, http, https, http-alt, \
50. smtp, smtps, pop3, pop3s, imap, imaps, ftp-data, ftp, ssh, cvsup, svn, \
51. 3128, 3129, 3130, 9050, 8118, 8056, 2199, 8191, 82, 2087, 8081, 8333, 1157, \
52. 2083, 8030, 9091, 10443, 3389, 8080, 81, 8086, 8000, 465, 587, 8444, \
53. 9447, 7005, 115, 8030, 444, 2222, 2096, 8040, 2082, 8289, 3000, 8050, \
54. 8051, 27643, 21234, 2086, 82, 8443, 4443, 7000, 8070, 8050, 9070 \
55. 18080:18095, 8111, 34878, 93, 182, 8091, 8543, 18255, 2880, 8888, 33, \
56. 13101, 9876, 9000, 8501, 8100, 2091, 2048, 2128, 2061, 2158, 2129, 2154, \
57. 9443, 6969, 2969, 2139, 2460 }"
58. int_ports_udp = "{ domain, bootps, dhcpv6-server, ntp, openvpn, svn, sip, snmp\
59. 8056, 500, 1000, 1000, 8289, 8291, 9000 }"
60.  
61. # NFS Server https://forums.freebsd.org/threads/5123
62. nfs_tcp = "{ sunrpc, nfsd-status, nfsd, lockd, mdc-portmapper, cryptoadmin }"
63. nfs_udp = "{ sunrpc, nfsd-keepalive, nfsd, lockd, mdc-portmapper, cryptoadmin }"
64.  
65. # FTP Ports
66. ftp_ports_tcp = "{ ftp, 2134, 9070 }"
67.  
68. # Sony Anycast
69. sonyanycast_tcp = "1935"
70.  
71. # ShoutCast
72. shoutcast_tcp = "9306"
73.  
74. # Wowza https://www.wowza.com/resources/WowzaStreamingEngine_UsersGuide.pdf
75. #wowza = "1935"
76.  
77. # Real-Time Messaging Protocol https://en.wikipedia.org/wiki/Real-Time_Messaging_Protocol
78. rtmp = "1935"
79.  
80. # Comrex ACCESS Rack & Portable 2USB http://www.comrex.com/wp-content/uploads/2015/11/4.0-ACCESS-Addendum.pdf
81. comrex_tcp = "{ 8080, 80, 8082, 8090 }"
82. comrex_udp = "{ 9000, 9001 }"
83.  
84. # Centova Cast http://www.centova.com/en/faq/cast3/information/configuring_a_firewall_for_centova_cast
85. centovacast_tcp = "{ 2199, 2197, 21, 80, 8000:10000 }"
86. centovacast_server = "62.210.203.78"
87.  
88. # Application Manager and Avid License Control http://avid.force.com/pkb/articles/en_US/troubleshooting/en436075
89. avidapplicationmanager_tcp = "{ 3443, 443, 96 }"
90.  
91. # AviWest http://www.aviwest.com/wp-content/uploads/2016/02/DMNG_StreamHub_Installation_Guide_EN_v4.pdf
92. aviwest_tcp = "8888"
93. aviwest_udp = "{ 7900:7904 }"
94.  
95. # Teradek Cube 655 https://support.teradek.com/hc/en-us/articles/225690067-What-network-ports-are-needed-for-streaming-with-Live-Air-and-Live-Air-Solo-
96. teradek_host = "{ 172.16.8.70, 172.16.8.71, 172.16.8.72, 172.16.8.92, 172.16.16.66 }"
97. teradek_tcp = "{ 1935, 80, 2543, 443, 6667 }"
98. teradek_udp = "{ 53, 5353, 554, 49513:65535, 21572 }"
99.  
100. # Datavideo NVS-25
101. datavideo_host = "172.16.16.68"
102. datavideo_tcp = "{ 1935, 80, 2543, 443, 6667, 8554, 8000, 8080, 554 }"
103. datavideo_udp = "{ 1935, 53, 5353, 554, 49513:65535, 21572, 8554 }"
104.  
105. # LiveU2000 (no esta funcionando las reglas)
106. #liveu_host = "172.16.16.23"
107. #liveu_tcp = "{ 53, 80, 443, 10020, 8400:8600, 1935, 18255, 8543, 8601:8608, 873, 1873, 22222, 5938, 8000:8007, 9000:9007, 7775, 1945, 18265 }"
108. #liveu_udp = "{ 53, 8601:8608, 8609:8615, 8620:8667, 8000:8007, 9100:9109, 9110, 9101, 9000:9007, 9008:9011, 9104:9107 }"
109.  
110. # Ofimatica
111. # Ofimatica http://www.ofimanet.com/OfimaBotInstaladores/OfimaBotEnterprise.pdf
112. # ftp user:[email protected]:9070
113. # OfimaWEB
114. ofimaweb_host = "172.16.3.3"
115. ofimaweb_tcp = "46046"
116.  
117. # P2P (firewall and P2P in same computer)
118. #
119. # Transmission Port: /usr/ports/net-p2p/transmission-daemon
120. # Transmission (tcp 51413 defaul or tcp/udp range 49152:65535)
121. rpc_port_tcp = "9091" # Control web http://<ipserver>:9091
122. peer_port_tcp = "51413"
123. peer_port_range = "{ 49152:65535 }"
124. #
125. # P2P (P2P in another computer)
126. #
127. # eMule
128. # (Server List http://emuling.net23.net/server.met Update)
129. # (KAD: http://www.emule-mods.it/download/nodes.dat Bootstrap)
130. emule_client = "172.16.50.3"
131. emule_tcp = "4662"
132. emule_udp = "{ 4665, 4672, 65535 }"
133.  
134. # VoIP Calls APP
135. #
136. # Asterisk
137. asterisk_udp = "{ 5060, 10000:20000 }"
138. #
139. # Google Hangouts -> https://support.google.com/a/answer/1279090?hl=en
140. hangouts_tcp = "{ 19305:19309 }"
141. hangouts_udp = "{ 19302:19309 }"
142. #
143. # Viber -> http://www.viberfaq.com/why-cant-i-use-viber-on-some-wi-fi-networks
144. viber_tcp = "{ 5242, 4244 }"
145. viber_udp = "{ 5243, 9785 }"
146. #
147. # Line
148. # LINE's system uses ports 80 and 443 of the TCP service.
149. # LINE Free Call UDP 389, 443, 554, 9400:9420, 10000:60000
150. # LINE Premium Call (paid service) UDP 10000:60000
151. # el ultimo rango no lo puedo abrir al ser muchos puertos
152. line_tcp = "{ 80, 443 }"
153. line_udp = "{ 389, 443, 554, 9400:9420 }"
154. #
155. # https://www.quora.com/What-is-the-port-number-for-whatsapp
156. whatsapp_tcp = "{ 4244, 5222, 5223, 5228, 5242, 50318, 59234 }"
157. #whatsapp_udp = "{ 34784, 45395, 50318, 59234, 40000:60000 }" # El rango es muy grande
158. whatsapp_udp = "{ 34784, 45395, 50318, 59234, 40000:40020 }" # Abro solo 20 puertos
159. #
160. # Panasonic -> http://ict3.com/Data/KX-TDE200/IP_Networking_Guide.pdf
161. #panasonic_tcp = "{ }"
162. #panasonic_udp = "{ 9300, 2727, 8000:8063 }"
163. #
164. # Instant Talk Mobile Tornado
165. instanttalk_tcp = "{ 8081, 26000, 843, 8082, 26001, 843 }"
166. instanttalk_udp = "{ 25000, 25001 }"
167. #
168. # Vidyo (VidyoConferencing Firewall Ports) -> http://www.vidyo.com/wp-content/uploads/VidyoConferencing_Admin_Guide_2.3-B.pdf
169. vidyo_tcp = "{ 80, 443, 17992, 17990 }"
170. vidyo_udp = "{ 50000:65535 }"
171. #
172. # FaceTime https://support.apple.com/en-us/HT202078
173. facetime_tcp = "{ 80, 443, 5223 }"
174. facetime_udp = "{ 3478:3497, 16384:16387, 16394:16402 }"
175. #
176. # iMessage
177. imessage_tcp = "{ 80, 443, 5223 }"
178.  
179. # Samba service
180. smb_tcp = "{ loc-srv, netbios-ssn, swat, microsoft-ds }"
181. smb_udp = "{ netbios-ns, netbios-dgm }"
182.  
183. # HostGator http://support.hostgator.com/articles/specialized-help/technical/commonly-used-port-numbers
184. hostgator_tcp = "{ 2082, 2083, 2086, 2087, 2095, 2096, \
185. 110, 995, 143, 993, 25, 26, 587, 465, \
186. 80, 443, 21, 990, 22, 2222, 2077, 2078, 3306, 1433, 22, 2222, \
187. 8880, 8443, 9998, 4643, 9001, 80, 4489, 5100 }"
188.  
189. # Cisco VPN Client
190. ciscovpn_tcp = "10000"
191. ciscovpn_udp = "{ 500, 4500, 10000 }"
192.  
193. # Squid-cache test
194. # Carlos Giovani Sergio Miguel
195. #squid_ipv4 = "{ 172.16.8.4, 172.16.51.12, 172.16.51.70, 172.16.2.2 }"
196. squid_ipv4 = "{ 172.16.2.2 }"
197. #squid_ipv6 = "{ fc00::8:4, fc00::2000, fc00::18f4, fc00::2:2 }"
198. squid_ipv6 = "{ fc00::2:2 }"
199.  
200. # EMG-12 S/N: M1232 05 Thernet Modbus Gateway
201. emg12_host = "172.16.23.100"
202. emg12_tcp = "2001"
203.  
204. # Datafono
205. datafono_tcp = "{ 443, 8080 }"
206.  
207. # Turibus
208. turibus_tcp = "{ 60391, 1433, 30074 }"
209.  
210. #-------------------------------------------------------------------------------
211. # (2) PF: Tables
212. #-------------------------------------------------------------------------------
213.  
214. # IPv4 RFCs
215. table <rfc1918> { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }
216. table <rfc3927> { 169.254.0.0/16 }
217. table <rfc5735> { 192.0.2.0/24 }
218. table <rfc3330> { 0.0.0.0/8 }
219. table <rfc6890> { 240.0.0.0/4 }
220.  
221. # IPv6 RFCs
222. table <rfc4193> { fc00::/7 }
223.  
224. # Examples
225. #table <clients> { 192.168.2.0/24, !192.168.2.5 }
226. #table <clients> persist file "/etc/clients"
227.  
228. # Blocklists
229. table <blocklist1>
230. table <blocklist2>
231. table <blocklist3>
232.  
233. # TOR list
234. table <torlist>
235.  
236. # Example for /etc/crontab
237. #
238. # Bocklist1
239. #00 05 * * * root /usr/bin/fetch -o /tmp/blocklist1.txt https://lists.blocklist.de/lists/all.txt >/dev/null 2>&
240. #10 05 * * * root /sbin/pfctl -t blocklist1 -T replace -f /tmp/blocklist1.txt >/dev/null 2>&1
241.  
242. #-------------------------------------------------------------------------------
243. # (3) PF: Options
244. #-------------------------------------------------------------------------------
245.  
246. # Misc Options
247. set skip on lo
248. set debug urgent
249. set block-policy drop
250. set loginterface $ext_if
251. set state-policy if-bound
252. set fingerprints "/etc/pf.os"
253. set ruleset-optimization basic
254. set optimization normal
255. set limit { states 1000000, frags 1000000, src-nodes 100000, table-entries 1000000 }
256.  
257. #-------------------------------------------------------------------------------
258. # (4) PF: Packet Queueing and Priorization
259. #-------------------------------------------------------------------------------
260.  
261. # No ALTQ support in GENERIC kernel, Build a Custom Kernel and Enabling ALTQ
262.  
263. # ISP Upload = 60Mb/s (queue at 97%)
264. altq on $ext_if bandwidth 58.20Mb hfsc queue { ack1, dns1, ssh1, web1, mail1, bulk1, bittor1, spamd1 }
265. queue ack1 bandwidth 30% qlimit 500 hfsc (realtime 20%)
266. queue dns1 bandwidth 5% qlimit 500 hfsc (realtime 5%)
267. queue ssh1 bandwidth 20% qlimit 500 hfsc (realtime 20%) {ssh1_login1, ssh1_bulk1}
268. queue ssh1_login1 bandwidth 50% qlimit 500 hfsc
269. queue ssh1_bulk1 bandwidth 50% qlimit 500 hfsc
270. queue bulk1 bandwidth 20% qlimit 500 hfsc (realtime 20% default, ecn)
271. queue web1 bandwidth 5% qlimit 500 hfsc (realtime (10%, 10000, 5%))
272. queue mail1 bandwidth 5% qlimit 500 hfsc (realtime 5%)
273. queue bittor1 bandwidth 1% qlimit 500 hfsc (upperlimit 95%)
274. queue spamd1 bandwidth 1% qlimit 500 hfsc (upperlimit 1Kb)
275.  
276. # ISP Download = 120Mb/s (queue at 97%)
277. altq on $int_if bandwidth 116.40Mb hfsc queue { ack2, dns2, ssh2, web2, mail2, bulk2, bittor2, spamd2 }
278. queue ack2 bandwidth 30% qlimit 500 hfsc (realtime 20%)
279. queue dns2 bandwidth 5% qlimit 500 hfsc (realtime 5%)
280. queue ssh2 bandwidth 20% qlimit 500 hfsc (realtime 20%) {ssh2_login2, ssh2_bulk2}
281. queue ssh2_login2 bandwidth 50% qlimit 500 hfsc
282. queue ssh2_bulk2 bandwidth 50% qlimit 500 hfsc
283. queue bulk2 bandwidth 20% qlimit 500 hfsc (realtime 20% default, ecn)
284. queue web2 bandwidth 5% qlimit 500 hfsc (realtime (10%, 10000, 5%))
285. queue mail2 bandwidth 5% qlimit 500 hfsc (realtime 5%)
286. queue bittor2 bandwidth 1% qlimit 500 hfsc (upperlimit 95%)
287. queue spamd2 bandwidth 1% qlimit 500 hfsc (upperlimit 1Kb)
288.  
289. #-------------------------------------------------------------------------------
290. # (5) PF: Netkwork Address Translation (NAT) and Packet Redirection
291. #-------------------------------------------------------------------------------
292.  
293. # No nat for this IP
294. #no nat on $ext_if inet from 172.16.52.198 to any
295. #no nat on $ext_if inet6 from fc00::1128 to any
296.  
297. # Internet (NAT IPv4 = yes | NAT IPv6 = yes)
298. nat on $ext_if inet from any to any -> $ext_ipv4
299. nat on $ext_if inet6 from any to any -> $ext_ipv6
300.  
301. # OpenVPN
302. nat on $vpn_if inet from any to any -> ($vpn_if:0)
303. nat on $vpn_if inet6 from any to any -> ($vpn_if:0)
304.  
305. # FTP-Proxy
306. nat-anchor "ftp-proxy/*"
307. rdr-anchor "ftp-proxy/*"
308.  
309. # Redirect FTP traffic to proxy (ftp-proxy)
310. rdr pass on $int_if inet proto tcp from any to any port $ftp_ports_tcp -> 127.0.0.1 port ftp-proxy
311. rdr pass on $int_if inet6 proto tcp from any to any port $ftp_ports_tcp -> ::1 port ftp-proxy
312.  
313. #=================== SQUID =====================================
314.  
315. # Intercept HTTPS CONNECT messages with SSL-Bump
316.  
317. #rdr pass on $int_if inet proto tcp from any to any port https -> 172.16.1.1 port 3130
318. #rdr pass on $int_if inet6 proto tcp from any to any port https -> fc00::1:1 port 3130
319.  
320. #rdr pass on $int_if inet proto tcp from $squid_ipv4 to any port https -> 172.16.1.1 port 3130
321. #rdr pass on $int_if inet6 proto tcp from $squid_ipv6 to any port https -> fc00::1:1 port 3130
322.  
323. #=================== SQUID =====================================
324.  
325. # DC SSH (ssh [email protected] -p 2222)
326. rdr pass on $ext_if inet proto tcp from any to port 2222 -> 172.16.3.1 port 22
327. rdr pass on $ext_if inet6 proto tcp from any to port 2222 -> fc00::3:1 port 22
328.  
329. # NS1 SSH
330. rdr pass on $ext_if inet proto tcp from any to port 2223 -> 172.16.2.1 port 22
331. rdr pass on $ext_if inet6 proto tcp from any to port 2223 -> fc00::2:1 port 22
332.  
333. # NS2 SSH
334. rdr pass on $ext_if inet proto tcp from any to port 2224 -> 172.16.2.2 port 22
335. rdr pass on $ext_if inet6 proto tcp from any to port 2224 -> fc00::2:2 port 22
336.  
337. # Servidor temporal
338. rdr pass on $ext_if inet proto tcp from any to port 2225 -> 172.16.3.111 port 22
339. rdr pass on $ext_if inet6 proto tcp from any to port 2225 -> fc00::3:111 port 22
340.  
341. # DC HTTP
342. rdr pass on $ext_if inet proto tcp from any to port http -> 172.16.3.1 port http
343. rdr pass on $ext_if inet6 proto tcp from any to port http -> fc00::3:1 port http
344.  
345. # DC HTTPS
346. rdr pass on $ext_if inet proto tcp from any to port https -> 172.16.3.1 port https
347. rdr pass on $ext_if inet6 proto tcp from any to port https -> fc00::3:1 port https
348.  
349. # DC PostgreSQL
350. rdr pass on $ext_if inet proto tcp from any to port postgresql -> 172.16.3.1 port postgresql
351. rdr pass on $ext_if inet6 proto tcp from any to port postgresql -> fc00::3:1 port postgresql
352.  
353. # UPS APC
354. rdr pass on $ext_if inet proto tcp from any to port 81 -> 172.16.22.1 port 80
355.  
356. # UPS ALPHA
357. rdr pass on $ext_if inet proto tcp from any to port 82 -> 172.16.22.2 port 80
358.  
359. # UPS Emerson
360. rdr pass on $ext_if inet proto tcp from any to port 83 -> 172.16.22.3 port 80
361.  
362. # AIRE Jhonson Controller
363. rdr pass on $ext_if inet proto tcp from any to port 85 -> 172.16.18.1 port 80
364.  
365. # Receptor Tandberg RX8200
366. #rdr pass on $ext_if inet proto tcp from any to port 86 -> 172.16.16.65 port 80
367.  
368. # Receptor Tandberg RX8200
369. #rdr pass on $ext_if inet proto tcp from any to port 87 -> 172.16.16.64 port 80
370.  
371. # Matrox Monarch MGX1920 S/N: BP81698
372. rdr pass on $ext_if inet proto tcp from any to port 88 -> 172.16.16.66 port 80
373.  
374. # Data Video
375. rdr pass on $ext_if inet proto tcp from any to port 89 -> 172.16.16.68 port 80
376.  
377. # Redireccion Escritorio Remoto Windows (FOXTROT)
378. rdr pass on $ext_if inet proto tcp from any to port 3389 -> 172.16.3.3 port 3389
379.  
380. # Redireccion Escritorio Remoto Windows (MXL7012PZ3)
381. rdr pass on $ext_if inet proto tcp from any to port 3390 -> 172.16.8.32 port 3389
382.  
383. # HP Compaq Pro 6300 SFF MXL2491K5M (Carlos Duque)
384. rdr pass on $ext_if inet proto tcp from any to port 3391 -> 172.16.9.4 port 3389
385.  
386. # HP Compaq Elite 8300 Convertible Microtower S/N: MXL3151M2M
387. # Windows Remote Desktop
388. rdr pass on $ext_if inet proto tcp from any to port 3392 -> 172.16.8.47 port 3389
389. rdr pass on $ext_if inet6 proto tcp from any to port 3392 -> fc00::8:47 port 3389
390. # RealVNC
391. rdr pass on $ext_if inet proto tcp from any to port 5900 -> 172.16.8.47 port 5900
392. rdr pass on $ext_if inet6 proto tcp from any to port 5900 -> fc00::8:47 port 5900
393.  
394. # Clear-Com -> IVC32
395. rdr pass on $ext_if inet proto { tcp, udp } from any to port 6001 -> 172.16.16.41 port 6001
396.  
397. # ConcertPC -> ConcertServer (CentOS)
398. rdr pass on $ext_if inet proto { tcp, udp } from any to port 6002 -> 172.16.16.47 port 6001
399.  
400. # Panasonic KX-TDE200BX
401. #rdr pass on $ext_if inet proto tcp from any to port $panasonic_udp -> 172.16.12.1
402.  
403. # Control
404. rdr pass on $ext_if inet proto tcp from any to port 554 -> 172.16.16.16 port 554
405.  
406. # Link Electronics SCE-492 S/N: 171 (Closed Caption)
407. rdr pass on $ext_if inet proto tcp from any to port 10001 -> 172.16.16.59
408.  
409. # HP HP Compaq d220 MT S/N: MXD412067V
410. rdr pass on $ext_if inet proto { tcp, udp } from any to port 5003 -> 172.16.8.48
411.  
412. # Asterisk
413. rdr pass on $ext_if inet proto udp from any to port $asterisk_udp -> 172.16.3.1
414. rdr pass on $ext_if inet6 proto udp from any to port $asterisk_udp -> fc00::3:1
415.  
416. # eMule
417. rdr pass on $ext_if inet proto tcp from any to port $emule_tcp -> $emule_client
418. rdr pass on $ext_if inet proto udp from any to port $emule_udp -> $emule_client
419.  
420. # Liveu2000 (no esta funcionando las reglas)
421. #rdr pass on $ext_if inet proto tcp from any to port $liveu_tcp -> $liveu_host
422. #rdr pass on $ext_if inet proto udp from any to port $liveu_udp -> $liveu_host
423.  
424. # OfimaWEB
425. rdr pass on $ext_if inet proto tcp from any to port $ofimaweb_tcp -> $ofimaweb_host
426.  
427. # EMG-12 S/N: M1232 05 Thernet Modbus Gateway
428. rdr pass on $ext_if inet proto tcp from any to port $emg12_tcp -> $emg12_host
429.  
430. #-------------------------------------------------------------------------------
431. # (6) PF: Packet Filtering
432. #-------------------------------------------------------------------------------
433.  
434. # FTP-Proxy
435. # We need to have an anchor for ftp-proxy
436. anchor "ftp-proxy/*"
437.  
438. # Blocking Spoofed Packets (Paquetes Falsificados)
439. # https://home.nuug.no/~peter/pf/newest/antispoof.html
440. antispoof for $ext_if
441. antispoof for $int_if
442.  
443. # Default block all
444. block log all
445.  
446. #-------------------------------------------------------------------------------
447. # Filter rules for $ext_if inbound
448.  
449. # Temporarily allow all, do not leave active!
450. #pass in log on $ext_if inet proto tcp from any to any
451. #pass in log on $ext_if inet6 proto tcp from any to any
452. #pass in log on $ext_if inet proto udp from any to any
453. #pass in log on $ext_if inet6 proto udp from any to any
454.  
455. # SSH
456. pass in log on $ext_if inet proto tcp from any to port ssh
457. pass in log on $ext_if inet6 proto tcp from any to port ssh
458.  
459. # Web
460. pass in log on $ext_if inet proto tcp from any to any port { http, https }
461. pass in log on $ext_if inet6 proto tcp from any to any port { http, https }
462.  
463. # External Ports
464. pass in log on $ext_if inet proto tcp from any to any port $ext_ports_tcp
465. pass in log on $ext_if inet6 proto tcp from any to any port $ext_ports_tcp
466. pass in log on $ext_if inet proto udp from any to any port $ext_ports_udp
467. pass in log on $ext_if inet6 proto udp from any to any port $ext_ports_udp
468.  
469. # Allow in the default range for traceroute(8)
470. # "base+nhops*nqueries-1" (33434+64*3-1)
471. pass in log on $ext_if inet proto udp from any to any port 33434:33625
472. pass in log on $ext_if inet6 proto udp from any to any port 33434:33625
473.  
474. # Allow in ICMP Traffic
475. pass in log quick on $ext_if inet proto icmp icmp-type $icmp_types
476. pass in log quick on $ext_if inet6 proto icmp6 icmp6-type $icmp6_types
477.  
478. # IPv4 RFCs
479. block drop in log quick on $ext_if inet from { <rfc1918>, <rfc3927>, <rfc5735>, <rfc3330>, <rfc6890> }
480.  
481. # IPv6 RFCs
482. block drop in log quick on $ext_if inet6 from { <rfc4193> }
483.  
484. # Examples
485. #pass in log on $ext_if inet from { <clients> }
486.  
487. # Blocklists
488. block drop in log quick on $ext_if inet from { <blocklist1>, <blocklist2>, <blocklist3> }
489. block drop in log quick on $ext_if inet6 from { <blocklist1>, <blocklist2>, <blocklist3> }
490.  
491. # TOR list
492. #block drop in log quick on $ext_if inet from <torlist>
493. #block drop in log quick on $ext_if inet6 from <torlist>
494.  
495. #-------------------------------------------------------------------------------
496. # Filter rules for $ext_if outbound
497.  
498. # Server out to all # Upload (1)
499. pass out log on $ext_if inet proto tcp from ($ext_if) to any queue (bulk1, ack1)
500. pass out log on $ext_if inet6 proto tcp from ($ext_if) to any queue (bulk1, ack1)
501. pass out log on $ext_if inet proto udp from ($ext_if) to any queue (bulk1, ack1)
502. pass out log on $ext_if inet6 proto udp from ($ext_if) to any queue (bulk1, ack1)
503.  
504. # SSH
505. pass out log on $ext_if inet proto tcp from ($ext_if) to any port ssh queue (ssh1_bulk1, ssh1_login1)
506. pass out log on $ext_if inet6 proto tcp from ($ext_if) to any port ssh queue (ssh1_bulk1, ssh1_login1)
507.  
508. # Web
509. pass out log on $ext_if inet proto tcp from ($ext_if) to any port { http, https } queue (web1, ack1)
510. pass out log on $ext_if inet6 proto tcp from ($ext_if) to any port { http, https } queue (web1, ack1)
511.  
512. # Mail
513. pass out log on $ext_if inet proto tcp from ($ext_if) to any port { smtp, smtps, pop3, pop3s, imap, imaps, 465, 587 } queue (mail1, ack1)
514. pass out log on $ext_if inet6 proto tcp from ($ext_if) to any port { smtp, smtps, pop3, pop3s, imap, imaps, 465, 587 } queue (mail1, ack1)
515.  
516. # DNS
517. pass out log on $ext_if inet proto udp from ($ext_if) to any port domain queue (dns1, ack1)
518. pass out log on $ext_if inet6 proto udp from ($ext_if) to any port domain queue (dns1, ack1)
519.  
520. # All other UDP
521. pass out log on $ext_if inet proto udp from ($ext_if) to any queue (bulk1, ack1)
522. pass out log on $ext_if inet6 proto udp from ($ext_if) to any queue (bulk1, ack1)
523.  
524. # Allow in the default range for traceroute(8)
525. # "base+nhops*nqueries-1" (33434+64*3-1)
526. pass out log on $ext_if inet proto udp from ($ext_if) to any port 33434:33625 queue (ack1)
527. pass out log on $ext_if inet6 proto udp from ($ext_if) to any port 33434:33625 queue (ack1)
528.  
529. # Allow out ICMP Traffic
530. pass out log quick on $ext_if inet proto icmp icmp-type $icmp_types queue (ack1)
531. pass out log quick on $ext_if inet6 proto icmp6 icmp6-type $icmp6_types queue (ack1)
532.  
533. # IPv4 RFCs
534. block drop out log quick on $ext_if inet from { <rfc1918>, <rfc3927>, <rfc5735>, <rfc3330>, <rfc6890> }
535.  
536. # IPv6 RFCs
537. block drop out log quick on $ext_if inet6 from { <rfc4193> }
538.  
539. # Examples
540. #pass out log on $ext_if inet from { <clients> }
541.  
542. # Blocklists
543. block drop out log quick on $ext_if inet from { <blocklist1>, <blocklist2>, <blocklist3> }
544. block drop out log quick on $ext_if inet6 from { <blocklist1>, <blocklist2>, <blocklist3> }
545.  
546. # TOR list
547. #block drop out log quick on $ext_if inet from <torlist>
548. #block drop out log quick on $ext_if inet6 from <torlist>
549.  
550. #-------------------------------------------------------------------------------
551. # Filter rules for $int_if inbound
552.  
553. # Temporarily allow all, do not leave active!
554. #pass in log on $int_if inet proto tcp from any to any
555. #pass in log on $int_if inet6 proto tcp from any to any
556. #pass in log on $int_if inet proto udp from any to any
557. #pass in log on $int_if inet6 proto udp from any to any
558.  
559. # Temporarily allow all to one computer
560. pass in log on $int_if inet proto tcp from 172.16.12.214 to any
561. #pass in log on $int_if inet6 proto tcp from fc00::1d8e to any
562. pass in log on $int_if inet proto udp from 172.16.12.214 to any
563. #pass in log on $int_if inet6 proto udp from fc00::1d8e to any
564.  
565. # Internal Ports
566. pass in log on $int_if inet proto tcp from any to any port $int_ports_tcp
567. pass in log on $int_if inet6 proto tcp from any to any port $int_ports_tcp
568. pass in log on $int_if inet proto udp from any to any port $int_ports_udp
569. pass in log on $int_if inet6 proto udp from any to any port $int_ports_udp
570.  
571. # Allow in the default range for traceroute(8)
572. # "base+nhops*nqueries-1" (33434+64*3-1)
573. pass in log on $int_if inet proto udp from any to any port 33434:33625
574. pass in log on $int_if inet6 proto udp from any to any port 33434:33625
575.  
576. # VoIP Calls APP
577. #
578. # Google Hangouts
579. pass in log on $int_if inet proto tcp from any to any port $hangouts_tcp
580. pass in log on $int_if inet6 proto tcp from any to any port $hangouts_tcp
581. pass in log on $int_if inet proto udp from any to any port $hangouts_udp
582. pass in log on $int_if inet6 proto udp from any to any port $hangouts_udp
583. #
584. # Viber
585. #pass in log on $int_if inet proto tcp from any to any port $viber_tcp
586. #pass in log on $int_if inet6 proto tcp from any to any port $viber_tcp
587. #pass in log on $int_if inet proto udp from any to any port $viber_udp
588. #pass in log on $int_if inet6 proto udp from any to any port $viber_udp
589. #
590. # Line
591. #pass in log on $int_if inet proto tcp from any to any port $line_tcp
592. #pass in log on $int_if inet6 proto tcp from any to any port $line_tcp
593. #pass in log on $int_if inet proto udp from any to any port $line_udp
594. #pass in log on $int_if inet6 proto udp from any to any port $line_udp
595. #
596. # WhatsApp
597. pass in log on $int_if inet proto tcp from any to any port $whatsapp_tcp
598. pass in log on $int_if inet6 proto tcp from any to any port $whatsapp_tcp
599. pass in log on $int_if inet proto udp from any to any port $whatsapp_udp
600. pass in log on $int_if inet6 proto udp from any to any port $whatsapp_udp
601. #
602. # Instant Talk Mobile Tornado
603. #pass in log on $int_if inet proto tcp from any to any port $instanttalk_tcp
604. #pass in log on $int_if inet6 proto tcp from any to any port $instanttalk_tcp
605. #pass in log on $int_if inet proto udp from any to any port $instanttalk_udp
606. #pass in log on $int_if inet6 proto udp from any to any port $instanttalk_udp
607. #
608. # Vidyo
609. #pass in log on $int_if inet proto tcp from any to any port $vidyo_tcp
610. #pass in log on $int_if inet6 proto tcp from any to any port $vidyo_tcp
611. #pass in log on $int_if inet proto udp from any to any port $vidyo_udp
612. #pass in log on $int_if inet6 proto udp from any to any port $vidyo_udp
613. #
614. # FaceTime
615. pass in log on $int_if inet proto tcp from any to any port $facetime_tcp
616. pass in log on $int_if inet6 proto tcp from any to any port $facetime_tcp
617. pass in log on $int_if inet proto udp from any to any port $facetime_udp
618. pass in log on $int_if inet6 proto udp from any to any port $facetime_udp
619. #
620. # iMessage
621. pass in log on $int_if inet proto tcp from any to any port $imessage_tcp
622. pass in log on $int_if inet6 proto tcp from any to any port $imessage_tcp
623.  
624. # SAMBA from LAN
625. pass in log on $int_if inet proto tcp from any to any port $smb_tcp
626. pass in log on $int_if inet6 proto tcp from any to any port $smb_tcp
627. pass in log on $int_if inet proto udp from any to any port $smb_udp
628. pass in log on $int_if inet6 proto udp from any to any port $smb_udp
629.  
630. # HostGator
631. pass in log on $int_if inet proto tcp from any to any port $hostgator_tcp
632. pass in log on $int_if inet6 proto tcp from any to any port $hostgator_tcp
633.  
634. # Cisco VPN Client
635. pass in log on $int_if inet proto tcp from any to any port $ciscovpn_tcp
636. pass in log on $int_if inet6 proto tcp from any to any port $ciscovpn_tcp
637. pass in log on $int_if inet proto udp from any to any port $ciscovpn_udp
638. pass in log on $int_if inet6 proto udp from any to any port $ciscovpn_udp
639.  
640. # NFS
641. pass in log on $int_if inet proto tcp from any to any port $nfs_tcp
642. pass in log on $int_if inet6 proto tcp from any to any port $nfs_tcp
643. pass in log on $int_if inet proto udp from any to any port $nfs_udp
644. pass in log on $int_if inet6 proto udp from any to any port $nfs_udp
645.  
646. # Sony Anycast
647. pass in log on $int_if inet proto tcp from any to any port $sonyanycast_tcp
648. pass in log on $int_if inet6 proto tcp from any to any port $sonyanycast_tcp
649.  
650. # ShoutCast
651. pass in log on $int_if inet proto tcp from any to any port $shoutcast_tcp
652. pass in log on $int_if inet6 proto tcp from any to any port $shoutcast_tcp
653.  
654. # Wowza
655. #pass in log on $int_if inet proto tcp from any to any port $wowza
656. #pass in log on $int_if inet6 proto tcp from any to any port $wowza
657.  
658. # Real-Time Messaging Protocol
659. pass in log on $int_if inet proto tcp from any to any port $rtmp
660. pass in log on $int_if inet6 proto tcp from any to any port $rtmp
661.  
662. # Comrex ACCESS Rack & Portable 2USB
663. pass in log on $int_if inet proto tcp from any to any port $comrex_tcp
664. pass in log on $int_if inet6 proto tcp from any to any port $comrex_tcp
665. pass in log on $int_if inet proto udp from any to any port $comrex_udp
666. pass in log on $int_if inet6 proto udp from any to any port $comrex_udp
667.  
668. # Centova Cast
669. pass in log on $int_if inet proto tcp from any to $centovacast_server port $centovacast_tcp
670.  
671. # Application Manager and Avid License Control
672. pass in log on $int_if inet proto tcp from any to any port $avidapplicationmanager_tcp
673. pass in log on $int_if inet6 proto tcp from any to any port $avidapplicationmanager_tcp
674.  
675. # Aviwest
676. pass in log on $int_if inet proto tcp from any to any port $aviwest_tcp
677. pass in log on $int_if inet6 proto tcp from any to any port $aviwest_tcp
678. pass in log on $int_if inet proto udp from any to any port $aviwest_udp
679. pass in log on $int_if inet6 proto udp from any to any port $aviwest_udp
680.  
681. # Teradek Cube 655
682. pass in log on $int_if inet proto tcp from $teradek_host to any port $teradek_tcp
683. pass in log on $int_if inet proto udp from $teradek_host to any port $teradek_udp
684.  
685. # Datavideo NVS-25
686. pass in log on $int_if inet proto tcp from $datavideo_host to any port $datavideo_tcp
687. pass in log on $int_if inet proto udp from $datavideo_host to any port $datavideo_udp
688.  
689. # LiveU2000 (no esta funcionando las reglas)
690. #pass in log on $int_if inet proto tcp from $liveu_host to any port $liveu_tcp
691. #pass in log on $int_if inet proto udp from $liveu_host to any port $liveu_udp
692.  
693. # OfimaWEB
694. pass in log on $int_if inet proto tcp from $ofimaweb_host to any port $ofimaweb_tcp
695.  
696. # EMG-12 S/N: M1232 05 Thernet Modbus Gateway
697. pass in log on $int_if inet proto tcp from $emg12_host to any port $emg12_tcp
698.  
699. # Datafono
700. pass in log on $int_if inet proto tcp from any to any port $datafono_tcp
701. pass in log on $int_if inet6 proto tcp from any to any port $datafono_tcp
702.  
703. # Turibus
704. pass in log on $int_if inet proto tcp from any to any port $turibus_tcp
705. pass in log on $int_if inet6 proto tcp from any to any port $turibus_tcp
706.  
707. # Allow in ICMP Traffic
708. pass in log quick on $int_if inet proto icmp icmp-type $icmp_types
709. pass in log quick on $int_if inet6 proto icmp6 icmp6-type $icmp6_types
710.  
711. #-------------------------------------------------------------------------------
712. # Filter rules for $int_if outbound
713.  
714. # Server out to all # Download (2)
715. pass out log on $int_if inet proto tcp from any to any queue (bulk2, ack2)
716. pass out log on $int_if inet6 proto tcp from any to any queue (bulk2, ack2)
717. pass out log on $int_if inet proto udp from any to any queue (bulk2, ack2)
718. pass out log on $int_if inet6 proto udp from any to any queue (bulk2, ack2)
719.  
720. # SSH
721. pass out log on $int_if inet proto tcp from any to any port ssh queue (ssh2_bulk2, ssh2_login2)
722. pass out log on $int_if inet6 proto tcp from any to any port ssh queue (ssh2_bulk2, ssh2_login2)
723.  
724. # Web
725. pass out log on $int_if inet proto tcp from any to any port { http, https } queue (web2, ack2)
726. pass out log on $int_if inet6 proto tcp from any to any port { http, https } queue (web2, ack2)
727.  
728. # Mail
729. pass out log on $int_if inet proto tcp from any to any port { smtp, smtps, pop3, pop3s, imap, imaps, 465, 587 } queue (mail2, ack2)
730. pass out log on $int_if inet6 proto tcp from any to any port { smtp, smtps, pop3, pop3s, imap, imaps, 465, 587 } queue (mail2, ack2)
731.  
732. # DNS
733. pass out log on $int_if inet proto tcp from any to any port domain queue (dns2, ack2)
734. pass out log on $int_if inet6 proto tcp from any to any port domain queue (dns2, ack2)
735.  
736. # Allow in the default range for traceroute(8)
737. # "base+nhops*nqueries-1" (33434+64*3-1)
738. pass out log on $int_if inet proto udp from any to any port 33434:33625 queue (ack2)
739. pass out log on $int_if inet6 proto udp from any to any port 33434:33625 queue (ack2)
740.  
741. # Allow out ICMP Traffic
742. pass out log quick on $int_if inet proto icmp icmp-type $icmp_types queue (ack2)
743. pass out log quick on $int_if inet6 proto icmp6 icmp6-type $icmp6_types queue (ack2)
744.  
745. #-------------------------------------------------------------------------------
746. # Filter rules for $dmz_if inbound
747.  
748. # Future rules here
749.  
750. #-------------------------------------------------------------------------------
751. # Filter rules for $int_if_dmz outbound
752.  
753. # Future rules here
754.  
755. #-------------------------------------------------------------------------------
756. # Filter rules for $vpn_if inbound
757.  
758. # Allow in all
759. pass in log on $vpn_if inet proto tcp from any to any
760. pass in log on $vpn_if inet6 proto tcp from any to any
761. pass in log on $vpn_if inet proto udp from any to any
762. pass in log on $vpn_if inet6 proto udp from any to any
763.  
764. # Allow in ICMP Traffic
765. pass in log quick on $vpn_if inet proto icmp icmp-type $icmp_types
766. pass in log quick on $vpn_if inet6 proto icmp6 icmp6-type $icmp6_types
767.  
768. #-------------------------------------------------------------------------------
769. # Filter rules for $vpn_if outbound
770.  
771. # Allow out all
772. pass out log on $vpn_if inet proto tcp from any to any
773. pass out log on $vpn_if inet6 proto tcp from any to any
774. pass out log on $vpn_if inet proto udp from any to any
775. pass out log on $vpn_if inet6 proto udp from any to any
776.  
777. # Allow out ICMP Traffic
778. pass out log quick on $vpn_if inet proto icmp icmp-type $icmp_types
779. pass out log quick on $vpn_if inet6 proto icmp6 icmp6-type $icmp6_types
780.  
781. #-------------------------------------------------------------------------------