Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # Macros
- ext_if="wlan0"
- int_if="vboxnet0"
- #ext_if="em0"
- proxy="127.0.0.1"
- proxyport="8021"
- # Known ports for outgoing traffic
- tcp_services = "{ www, https, domain }"
- udp_services = "{ domain, ntp }"
- # Tables
- # Non rootable addresses
- table <unwanted> const persist {127.0.0.0/8, 172.16.0.0/12,\
- 10.0.0.0/8, 0.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24,\
- 240.0.0.0/4, 255.255.255.255/32}
- # Options
- set skip on lo0
- set require-order yes
- set block-policy drop
- set loginterface $ext_if
- set state-policy if-bound
- set fingerprints "/etc/pf.os"
- # Scrub - Traffic normalization
- scrub in all random-id fragment reassemble
- scrub out all random-id fragment reassemble
- # ftp-proxy
- nat-anchor "ftp-proxy/*"
- rdr-anchor "ftp-proxy/*"
- # NAT (VirtualBox)
- #nat on $ext_if from $int_if:network to any -> ($ext_if)
- # Redirect to ftp-proxy
- rdr pass proto tcp from any to any port ftp -> $proxy port $proxyport
- # Antispoof
- antispoof for $ext_if
- # Filters
- anchor "ftp-proxy/*"
- # Block anything coming from source we have no back routes for
- block in from no-route to any
- # Block packets that fail a reverse path check
- block in from urpf-failed to any
- # Blocking spoofed packets
- block drop in log quick on ! $ext_if inet from ($ext_if) to any
- # Block all packets not coming from this machine
- block out log quick on $ext_if from !($ext_if)
- # Block unwanted and log
- block drop in log quick on $ext_if from {<unwanted>, 192.168.0.0/16} to any
- block drop out log quick on $ext_if from any to <unwanted>
- # Block probes that can possibly determine the OS by disallowing certain
- # combinations that are commonly used by nmpa, queso and xprobe2
- block in quick on $ext_if proto tcp flags FUP/WEUAPRSF
- block in quick on $ext_if proto tcp flags WEUAPRSF/WEUAPRSF
- block in quick on $ext_if proto tcp flags SRAFU/WEUAPRSF
- block in quick on $ext_if proto tcp flags /WEUAPRSF
- block in quick on $ext_if proto tcp flags SR/SR
- block in quick on $ext_if proto tcp flags SF/SF
- # BLOCK ALL
- block in log all
- block out all
- # FTP configurations (use of ftp-proxy)
- # Active FTP
- pass out on $ext_if proto tcp from self to any port ftp keep state
- # Passive FTP
- pass out on $ext_if proto tcp from self to any port > 49151 keep state
- # Pass out internet traffic
- pass out quick on $ext_if inet proto tcp to any port $tcp_services flags S/SA modulate state
- pass out quick on $ext_if inet proto udp to any port $udp_services keep state
- #pass out quick on $ext_if inet proto tcp all flags S/SA modulate state
- #pass out quick on $ext_if inet proto udp all keep state
- # Allow ping out
- pass out quick on $ext_if inet proto icmp all icmp-type 8 code 0 keep state
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement