Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # Macros
- ext_if = "bge0"
- lan_net = "192.168.0.0/24"
- tcp_services = "{ ssh www https ipp ntp }"
- udp_services = "{ ipp }"
- icmp_types = "{ echoreq unreach }"
- # Tables
- table <rfc1918> const { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }
- table <ssh_abuse> persist
- # Options
- set block-policy drop # t(-_-t)
- set loginterface $ext_if
- set skip on lo0
- # Filter Rules
- block log all # t(-_-t)
- block quick from <ssh_abuse> # t(-_-t)
- antispoof log quick for $ext_if # t(-_-t)
- block in log quick from urpf-failed # t(-_-t)
- pass inet proto tcp to port $tcp_services keep state
- pass inet proto udp to port $udp_services keep state
- pass log inet proto icmp icmp-type $icmp_types
- pass quick proto tcp from any to any port ssh flags S/SA keep state \
- (max-src-conn 15, max-src-conn-rate 15/5, overload <ssh_abuse> flush global)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement