pf.conf

1. ## macros ##
2.  
3. # Protocols
4. # 5201 is iperf3
5. # 27015 is CS 1.6
6. # 27006 27016 27020 is TF2
7. # 27007 27017 27021 is CS: GO
8. # 25565 is Minecraft
9. # 10048 to 19968 is RTP
10. tcp_in = "{ ssh 5201 }"
11. udp_in = "10048:19968"
12. icmp_in = "{ echoreq unreach }"
13. icmp6_in = "{ echoreq unreach timex paramprob routeradv routersol \
14. neighbradv neighbrsol }"
15. web_in = "{ http https }"
16. cs_in = "27015"
17. tf2_in = "{ 27006 27016 27020 }"
18. csgo_in = "{ 27007 27017 27021 }"
19. mc_in = "25565"
20. udp_self = "{ sip domain }"
21.  
22. # Interfaces
23. ext_if = "em0"
24. dmz_if = "vlan70"
25. int_if = "{ vlan10 vlan20 vlan30 vlan40 vlan50 vlan60 }"
26.  
27. # Networks
28. dmz_net = "vlan70:network"
29. int_net = "{ vlan10:network vlan20:network vlan30:network \
30. vlan40:network vlan50:network vlan60:network }"
31.  
32. # DMZ IPv4 hosts (only used for port-forwarding)
33. web_server = "10.15.89.254"
34. cs_server = "10.15.89.254"
35. tf2_server = "10.15.89.254"
36. csgo_server = "10.15.89.254"
37. mc_server = "10.15.89.254"
38. dmz_server = "10.15.89.254"
39.  
40. ## default rule ##
41.  
42. # 01172021 - this is breaking shit; why??
43. #block all
44.  
45. ## NAT rules ##
46.  
47. # IPv4 to web server
48. match in on $ext_if inet proto { tcp udp } to port $web_in rdr-to $web_server
49. # IPv4 to game servers
50. match in on $ext_if inet proto udp to port $cs_in rdr-to $cs_server
51. match in on $ext_if inet proto { udp tcp } to port $tf2_in rdr-to $tf2_server
52. match in on $ext_if inet proto { udp tcp } to port $csgo_in rdr-to $csgo_server
53. match in on $ext_if inet proto { tcp udp } to port $mc_in rdr-to $mc_server
54.  
55. # IPv4 from dmz network
56. match out on $ext_if inet from $dmz_net nat-to ($ext_if)
57.  
58. # IPv4 from internal network
59. match out on $ext_if inet from $int_net nat-to ($ext_if)
60.  
61. ## input ##
62.  
63. # default
64. #block in all
65.  
66. # DMZ
67. # web server
68. pass in on $ext_if proto { tcp udp } to $dmz_net port $web_in
69. # game servers
70. pass in on $ext_if proto udp to $dmz_net port $cs_in
71. pass in on $ext_if proto { udp tcp } to $dmz_net port $tf2_in
72. pass in on $ext_if proto { udp tcp } to $dmz_net port $csgo_in
73. pass in on $ext_if proto { tcp udp } to $dmz_net port $mc_in
74.  
75. # Internal
76. pass in on $int_if to { $dmz_net $int_net }
77.  
78. # Self
79. # UDP
80. pass in proto { udp tcp } to self port $udp_self
81. # OSPF
82. #pass in proto ospf from { $dmz_net $int_net } to self
83.  
84. # Any
85. # TCP
86. pass in proto { tcp udp } to port $tcp_in keep state (max-src-conn-rate 10/60)
87. # FTP proxy, fix for getting thru NAT
88. anchor "ftp-proxy/*"
89. pass in quick inet proto tcp to port ftp divert-to 127.0.0.1 port 8021
90. # UDP
91. pass in proto { udp tcp } to port $udp_in keep state (max-src-conn-rate 10/60)
92. # fix for traceroute
93. pass in proto udp to port 33433:33626
94. # ICMP & ICMPv6
95. pass inet proto icmp icmp-type $icmp_in
96. pass inet6 proto icmp6 icmp6-type $icmp6_in
97.  
98. ## output ##
99.  
100. # default
101. #block out all
102. # permit outbound
103. pass out on { $dmz_if $ext_if } from { $dmz_net $int_net }
104. pass out from self
105. # block dmz to int
106. block out from $dmz_net to $int_net
107.  
108. ## queueing ##
109.  
110. # egress queue
111. queue outq on em0 flows 1024 bandwidth 30M max 30M qlimit 1024 default
112.  
113. # ingress queue
114. queue inq on aggr0 flows 1024 bandwidth 300M max 300M qlimit 1024 default