Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # cat /etc/pf.conf
- # $OpenBSD: pf.conf,v 1.54 2014/08/23 05:49:42 deraadt Exp $
- #
- # See pf.conf(5) and /etc/examples/pf.conf
- ## Macros
- # PFsync
- SYNC_NIC="em1"
- # WAN IP
- EXT_NIC1="vlan254"
- EXT_CARP_NIC1="carp254"
- EXT_IP1="10.16.96.10"
- EXT_IP2="10.16.96.2"
- EXT_NETWORK1="10.16.96.0/24"
- # Hurricane Electric
- EXT_NIC6="gif0"
- EXT_IP6="2001:470:1f1c:344::2"
- EXT_NETWORK6="2001:470:1f1c:344::/64"
- EXT_RANGE_NETWORK6="2001:470:1b6a::/48"
- # Management IP - no VLAN
- P_NIC="em0"
- P_CARP_NIC="carp1"
- P_CARP_NIC_IP4="192.168.245.1"
- P_NIC_IP4="192.168.245.2"
- P_NIC_NETWORK="192.168.245.0/24"
- P_NIC_IP6="2001:470:1b6a:45::2"
- P_CARP_NIC_IP6="2001:470:1b6a:45::1"
- P_NIC_NETWORK6="2001:470:1b6a:45::/64"
- # Internal IP - vlan10
- VLAN10_NIC="vlan10"
- VLAN10_CARP_NIC="carp10"
- VLAN10_IP4="192.168.210.1"
- VLAN10_NETWORK="192.168.210.0/23"
- VLAN10_IP6="2001:470:1b6a:10::1"
- VLAN10_NETWORK6="2001:470:1b6a:10::/63"
- # IoT - vlan20
- VLAN20_NIC="vlan20"
- VLAN20_CARP_NIC="carp20"
- VLAN20_IP4="192.168.220.1"
- VLAN20_NETWORK="192.168.220.0/24"
- VLAN20_IP6="2001:470:1b6a:20::1"
- VLAN20_NETWORK6="2001:470:1b6a:20::/64"
- # Guest IP - vlan30
- VLAN30_NIC="vlan30"
- VLAN30_CARP_NIC="carp30"
- VLAN30_IP4="192.168.230.1"
- VLAN30_NETWORK="192.168.230.0/24"
- VLAN30_IP6="2001:470:1b6a:30::1"
- VLAN30_NETWORK6="2001:470:1b6a:30::/64"
- # What-ever IP - vlan40
- VLAN40_NIC="vlan40"
- VLAN40_CARP_NIC="carp40"
- VLAN40_IP4="192.168.240.1"
- VLAN40_NETWORK="192.168.240.0/24"
- VLAN40_IP6="2001:470:1b6a:40::1"
- VLAN40_NETWORK6="2001:470:1b6a:40::/64"
- # VoIP - vlan42
- VLAN42_NIC="vlan42"
- VLAN42_CARP_NIC="carp42"
- VLAN42_IP4="192.168.242.1"
- VLAN42_NETWORK="192.168.242.0/24"
- VLAN42_IP6="2001:470:1b6a:42::1"
- VLAN42_NETWORK6="2001:470:1b6a:42::/64"
- ## SERVERS AND NETWORK macros
- # Internal servers
- [ ... ]
- ## Global settings
- set debug notice
- set skip on lo0
- set state-policy if-bound
- set state-defaults pflow #modulate state synproxy state
- set block-policy drop
- set limit {frags 5000, states 100000, tables 10000}
- set loginterface $EXT_NIC1
- #set loginterface $EXT_NIC6
- set reassemble yes
- ## TABLES
- table <firewall> const { self }
- table <bruteforce> persist file "/etc/pf/pf.bruteforce.conf"
- table <netflix-v6> persist file "/etc/pf/pf.netflix-ipv6.conf"
- ## GLOBAL OPTIONS
- match in all scrub (no-df random-id)
- match in on gif0 all scrub ( min-ttl 64 max-mss 1480 )
- ## TRAFFIC NORMALIZATION
- ## QUEUEING RULES
- ## FILTER RULES
- block all
- [ ... ]
- # pfsync & CARP
- pass quick proto { carp, pfsync }
- pass quick on $SYNC_NIC proto pfsync
- pass quick on { $P_NIC, $VLAN10_NIC, $VLAN20_NIC, $VLAN30_NIC, $VLAN40_NIC, $SYNC_NIC, $EXT_NIC1 } proto carp
- ## IPv6 Encapsulation
- # he.net tunnel
- pass in quick proto 41 from any to any
- pass out quick proto 41 from any to any
- ## Pass internal trafic
- # P_NIC
- pass in on $P_NIC from $P_NIC_NETWORK to $P_NIC_IP4
- pass in on $P_NIC from $P_NIC_NETWORK6 to $P_NIC_IP6
- pass out on $P_NIC from $P_NIC_IP4 to $P_NIC_NETWORK
- pass out on $P_NIC from $P_NIC_IP6 to $P_NIC_NETWORK6
- antispoof log for $P_NIC inet
- antispoof log for $P_NIC inet6
- # P_CARP_NIC
- pass in on $P_CARP_NIC from $P_NIC_NETWORK to $P_CARP_NIC_IP4
- pass in on $P_CARP_NIC from $P_NIC_NETWORK6 to $P_CARP_NIC_IP6
- pass out on $P_CARP_NIC from $P_CARP_NIC_IP4 to $P_NIC_NETWORK
- pass out on $P_CARP_NIC from $P_CARP_NIC_IP6 to $P_NIC_NETWORK6
- antispoof log for $P_NIC inet
- antispoof log for $P_NIC inet6
- # VLAN10
- pass in on $VLAN10_CARP_NIC from $VLAN10_NETWORK to $VLAN10_IP4
- pass in on $VLAN10_CARP_NIC from $VLAN10_NETWORK6 to $VLAN10_IP6
- pass out on $VLAN10_CARP_NIC from $VLAN10_IP4 to $VLAN10_NETWORK
- pass out on $VLAN10_CARP_NIC from $VLAN10_IP6 to $VLAN10_NETWORK6
- antispoof log for $VLAN10_NIC inet
- antispoof log for $VLAN10_NIC inet6
- # VLAN20
- pass in on $VLAN20_NIC from $VLAN20_NETWORK to $VLAN20_IP4
- pass in on $VLAN20_NIC from $VLAN20_NETWORK6 to $VLAN20_IP6
- pass out on $VLAN20_NIC from $VLAN20_IP4 to $VLAN20_NETWORK
- pass out on $VLAN20_NIC from $VLAN20_IP6 to $VLAN20_NETWORK6
- antispoof log for $VLAN20_NIC inet
- antispoof log for $VLAN20_NIC inet6
- # VLAN30
- pass in on $VLAN30_NIC from $VLAN30_NETWORK to $VLAN30_IP4
- pass in on $VLAN30_NIC from $VLAN30_NETWORK6 to $VLAN30_IP6
- pass out on $VLAN30_NIC from $VLAN30_IP4 to $VLAN30_NETWORK
- pass out on $VLAN30_NIC from $VLAN30_IP6 to $VLAN30_NETWORK6
- antispoof log for $VLAN30_NIC inet
- antispoof log for $VLAN30_NIC inet6
- # VLAN40
- pass in on $VLAN40_NIC from $VLAN40_NETWORK to $VLAN40_IP4
- pass in on $VLAN40_NIC from $VLAN40_NETWORK6 to $VLAN40_IP6
- pass out on $VLAN40_NIC from $VLAN40_IP4 to $VLAN40_NETWORK
- pass out on $VLAN40_NIC from $VLAN40_IP6 to $VLAN40_NETWORK6
- antispoof log for $VLAN40_NIC inet
- antispoof log for $VLAN40_NIC inet6
- # VLAN10 <=> VLAN20
- pass in on $VLAN10_NIC from $VLAN10_NETWORK to $VLAN20_NETWORK
- pass in on $VLAN10_NIC from $VLAN10_NETWORK6 to $VLAN20_NETWORK6
- pass out on $VLAN20_NIC from $VLAN10_NETWORK to $VLAN20_NETWORK
- pass out on $VLAN20_NIC from $VLAN10_NETWORK6 to $VLAN20_NETWORK6
- pass in on $VLAN20_NIC from $VLAN20_NETWORK to $VLAN10_NETWORK
- pass in on $VLAN20_NIC from $VLAN20_NETWORK6 to $VLAN10_NETWORK6
- pass out on $VLAN10_NIC from $VLAN20_NETWORK to $VLAN10_NETWORK
- pass out on $VLAN10_NIC from $VLAN20_NETWORK6 to $VLAN10_NETWORK6
- # VLAN10 <=> management
- pass in on $VLAN10_NIC from $VLAN10_NETWORK to $P_NIC_NETWORK
- pass in on $VLAN10_NIC from $VLAN10_NETWORK6 to $P_NIC_NETWORK6
- pass out on $P_NIC from $VLAN10_NETWORK to $P_NIC_NETWORK
- pass out on $P_NIC from $VLAN10_NETWORK6 to $P_NIC_NETWORK6
- pass in on $P_NIC from $P_NIC_NETWORK to $VLAN10_NETWORK
- pass in on $P_NIC from $P_NIC_NETWORK6 to $VLAN10_NETWORK6
- pass out on $VLAN10_NIC from $P_NIC_NETWORK to $VLAN10_NETWORK
- pass out on $VLAN10_NIC from $P_NIC_NETWORK6 to $VLAN10_NETWORK6
- # Semark VPN <=> management & vlan10
- pass in log (all) on $VPN_NIC1 from $SEMARKNET to $VLAN10_NETWORK
- pass in log (all) on $VPN_NIC1 from $SEMARKNET to $P_NIC_NETWORK
- pass out log (all) on $VPN_NIC1 from $VLAN10_NETWORK to $SEMARKNET
- pass out log (all) on $VPN_NIC1 from $P_NIC_NETWORK to $SEMARKNET
- pass in log (all) on $VPN_NIC1 from $SEMARKNET6 to $VLAN10_NETWORK6
- pass in log (all) on $VPN_NIC1 from $SEMARKNET6 to $P_NIC_NETWORK6
- pass out on $VPN_NIC1 from $VLAN10_NETWORK6 to $SEMARKNET6
- pass out on $VPN_NIC1 from $P_NIC_NETWORK6 to $SEMARKNET6
- [ ... ]
- # protect SSH from SYN flood and bruteforce
- pass in quick tagged SSH_IN synproxy state (max-src-conn 10, max-src-conn-rate 5/5, overload <bruteforce> flush global)
- #block return # block stateless traffic
- pass # establish keep-state
- ## BLOCKING
- # By default, do not permit remote connections to X11
- block return in log (all) on ! lo0 proto tcp to port 6000:6010
- # Block Netflix IPv6
- block return in log (all) quick on { $P_NIC,$VLAN10_NIC,$VLAN20_NIC,$VLAN30_NIC,$VLAN40_NIC } inet6 proto tcp from any to <netflix-v6>
- # Block bruteforce
- block in log (all) quick from <bruteforce>
Add Comment
Please, Sign In to add comment