Server 1: pf.conf

1. # cat /etc/pf.conf
2. # $OpenBSD: pf.conf,v 1.54 2014/08/23 05:49:42 deraadt Exp $
3. #
4. # See pf.conf(5) and /etc/examples/pf.conf
5.  
6. ## Macros
7. # PFsync
8. SYNC_NIC="em1"
9.  
10. # WAN IP
11. EXT_NIC1="vlan254"
12. EXT_CARP_NIC1="carp254"
13. EXT_IP1="10.16.96.10"
14. EXT_IP2="10.16.96.2"
15. EXT_NETWORK1="10.16.96.0/24"
16.  
17. # Hurricane Electric
18. EXT_NIC6="gif0"
19. EXT_IP6="2001:470:1f1c:344::2"
20. EXT_NETWORK6="2001:470:1f1c:344::/64"
21. EXT_RANGE_NETWORK6="2001:470:1b6a::/48"
22.  
23. # Management IP - no VLAN
24. P_NIC="em0"
25. P_CARP_NIC="carp1"
26. P_CARP_NIC_IP4="192.168.245.1"
27. P_NIC_IP4="192.168.245.2"
28. P_NIC_NETWORK="192.168.245.0/24"
29. P_NIC_IP6="2001:470:1b6a:45::2"
30. P_CARP_NIC_IP6="2001:470:1b6a:45::1"
31. P_NIC_NETWORK6="2001:470:1b6a:45::/64"
32.  
33. # Internal IP - vlan10
34. VLAN10_NIC="vlan10"
35. VLAN10_CARP_NIC="carp10"
36. VLAN10_IP4="192.168.210.1"
37. VLAN10_NETWORK="192.168.210.0/23"
38. VLAN10_IP6="2001:470:1b6a:10::1"
39. VLAN10_NETWORK6="2001:470:1b6a:10::/63"
40.  
41. # IoT - vlan20
42. VLAN20_NIC="vlan20"
43. VLAN20_CARP_NIC="carp20"
44. VLAN20_IP4="192.168.220.1"
45. VLAN20_NETWORK="192.168.220.0/24"
46. VLAN20_IP6="2001:470:1b6a:20::1"
47. VLAN20_NETWORK6="2001:470:1b6a:20::/64"
48.  
49. # Guest IP - vlan30
50. VLAN30_NIC="vlan30"
51. VLAN30_CARP_NIC="carp30"
52. VLAN30_IP4="192.168.230.1"
53. VLAN30_NETWORK="192.168.230.0/24"
54. VLAN30_IP6="2001:470:1b6a:30::1"
55. VLAN30_NETWORK6="2001:470:1b6a:30::/64"
56.  
57. # What-ever IP - vlan40
58. VLAN40_NIC="vlan40"
59. VLAN40_CARP_NIC="carp40"
60. VLAN40_IP4="192.168.240.1"
61. VLAN40_NETWORK="192.168.240.0/24"
62. VLAN40_IP6="2001:470:1b6a:40::1"
63. VLAN40_NETWORK6="2001:470:1b6a:40::/64"
64.  
65. # VoIP - vlan42
66. VLAN42_NIC="vlan42"
67. VLAN42_CARP_NIC="carp42"
68. VLAN42_IP4="192.168.242.1"
69. VLAN42_NETWORK="192.168.242.0/24"
70. VLAN42_IP6="2001:470:1b6a:42::1"
71. VLAN42_NETWORK6="2001:470:1b6a:42::/64"
72.  
73.  
74. ## SERVERS AND NETWORK macros
75. # Internal servers
76. [ ... ]
77.  
78. ## Global settings
79. set debug notice
80. set skip on lo0
81. set state-policy if-bound
82. set state-defaults pflow #modulate state synproxy state
83. set block-policy drop
84. set limit {frags 5000, states 100000, tables 10000}
85. set loginterface $EXT_NIC1
86. #set loginterface $EXT_NIC6
87. set reassemble yes
88.  
89.  
90. ## TABLES
91. table <firewall> const { self }
92. table <bruteforce> persist file "/etc/pf/pf.bruteforce.conf"
93. table <netflix-v6> persist file "/etc/pf/pf.netflix-ipv6.conf"
94.  
95. ## GLOBAL OPTIONS
96. match in all scrub (no-df random-id)
97. match in on gif0 all scrub ( min-ttl 64 max-mss 1480 )
98.  
99. ## TRAFFIC NORMALIZATION
100.  
101. ## QUEUEING RULES
102.  
103. ## FILTER RULES
104. block all
105.  
106. [ ... ]
107.  
108. # pfsync & CARP
109. pass quick proto { carp, pfsync }
110. pass quick on $SYNC_NIC proto pfsync
111. pass quick on { $P_NIC, $VLAN10_NIC, $VLAN20_NIC, $VLAN30_NIC, $VLAN40_NIC, $SYNC_NIC, $EXT_NIC1 } proto carp
112.  
113.  
114. ## IPv6 Encapsulation
115. # he.net tunnel
116. pass in quick proto 41 from any to any
117. pass out quick proto 41 from any to any
118.  
119.  
120. ## Pass internal trafic
121. # P_NIC
122. pass in on $P_NIC from $P_NIC_NETWORK to $P_NIC_IP4
123. pass in on $P_NIC from $P_NIC_NETWORK6 to $P_NIC_IP6
124. pass out on $P_NIC from $P_NIC_IP4 to $P_NIC_NETWORK
125. pass out on $P_NIC from $P_NIC_IP6 to $P_NIC_NETWORK6
126. antispoof log for $P_NIC inet
127. antispoof log for $P_NIC inet6
128.  
129. # P_CARP_NIC
130. pass in on $P_CARP_NIC from $P_NIC_NETWORK to $P_CARP_NIC_IP4
131. pass in on $P_CARP_NIC from $P_NIC_NETWORK6 to $P_CARP_NIC_IP6
132. pass out on $P_CARP_NIC from $P_CARP_NIC_IP4 to $P_NIC_NETWORK
133. pass out on $P_CARP_NIC from $P_CARP_NIC_IP6 to $P_NIC_NETWORK6
134. antispoof log for $P_NIC inet
135. antispoof log for $P_NIC inet6
136.  
137. # VLAN10
138. pass in on $VLAN10_CARP_NIC from $VLAN10_NETWORK to $VLAN10_IP4
139. pass in on $VLAN10_CARP_NIC from $VLAN10_NETWORK6 to $VLAN10_IP6
140. pass out on $VLAN10_CARP_NIC from $VLAN10_IP4 to $VLAN10_NETWORK
141. pass out on $VLAN10_CARP_NIC from $VLAN10_IP6 to $VLAN10_NETWORK6
142. antispoof log for $VLAN10_NIC inet
143. antispoof log for $VLAN10_NIC inet6
144.  
145. # VLAN20
146. pass in on $VLAN20_NIC from $VLAN20_NETWORK to $VLAN20_IP4
147. pass in on $VLAN20_NIC from $VLAN20_NETWORK6 to $VLAN20_IP6
148. pass out on $VLAN20_NIC from $VLAN20_IP4 to $VLAN20_NETWORK
149. pass out on $VLAN20_NIC from $VLAN20_IP6 to $VLAN20_NETWORK6
150. antispoof log for $VLAN20_NIC inet
151. antispoof log for $VLAN20_NIC inet6
152.  
153. # VLAN30
154. pass in on $VLAN30_NIC from $VLAN30_NETWORK to $VLAN30_IP4
155. pass in on $VLAN30_NIC from $VLAN30_NETWORK6 to $VLAN30_IP6
156. pass out on $VLAN30_NIC from $VLAN30_IP4 to $VLAN30_NETWORK
157. pass out on $VLAN30_NIC from $VLAN30_IP6 to $VLAN30_NETWORK6
158. antispoof log for $VLAN30_NIC inet
159. antispoof log for $VLAN30_NIC inet6
160.  
161. # VLAN40
162. pass in on $VLAN40_NIC from $VLAN40_NETWORK to $VLAN40_IP4
163. pass in on $VLAN40_NIC from $VLAN40_NETWORK6 to $VLAN40_IP6
164. pass out on $VLAN40_NIC from $VLAN40_IP4 to $VLAN40_NETWORK
165. pass out on $VLAN40_NIC from $VLAN40_IP6 to $VLAN40_NETWORK6
166. antispoof log for $VLAN40_NIC inet
167. antispoof log for $VLAN40_NIC inet6
168.  
169. # VLAN10 <=> VLAN20
170. pass in on $VLAN10_NIC from $VLAN10_NETWORK to $VLAN20_NETWORK
171. pass in on $VLAN10_NIC from $VLAN10_NETWORK6 to $VLAN20_NETWORK6
172. pass out on $VLAN20_NIC from $VLAN10_NETWORK to $VLAN20_NETWORK
173. pass out on $VLAN20_NIC from $VLAN10_NETWORK6 to $VLAN20_NETWORK6
174.  
175. pass in on $VLAN20_NIC from $VLAN20_NETWORK to $VLAN10_NETWORK
176. pass in on $VLAN20_NIC from $VLAN20_NETWORK6 to $VLAN10_NETWORK6
177. pass out on $VLAN10_NIC from $VLAN20_NETWORK to $VLAN10_NETWORK
178. pass out on $VLAN10_NIC from $VLAN20_NETWORK6 to $VLAN10_NETWORK6
179.  
180. # VLAN10 <=> management
181. pass in on $VLAN10_NIC from $VLAN10_NETWORK to $P_NIC_NETWORK
182. pass in on $VLAN10_NIC from $VLAN10_NETWORK6 to $P_NIC_NETWORK6
183. pass out on $P_NIC from $VLAN10_NETWORK to $P_NIC_NETWORK
184. pass out on $P_NIC from $VLAN10_NETWORK6 to $P_NIC_NETWORK6
185.  
186. pass in on $P_NIC from $P_NIC_NETWORK to $VLAN10_NETWORK
187. pass in on $P_NIC from $P_NIC_NETWORK6 to $VLAN10_NETWORK6
188. pass out on $VLAN10_NIC from $P_NIC_NETWORK to $VLAN10_NETWORK
189. pass out on $VLAN10_NIC from $P_NIC_NETWORK6 to $VLAN10_NETWORK6
190.  
191. # Semark VPN <=> management & vlan10
192. pass in log (all) on $VPN_NIC1 from $SEMARKNET to $VLAN10_NETWORK
193. pass in log (all) on $VPN_NIC1 from $SEMARKNET to $P_NIC_NETWORK
194. pass out log (all) on $VPN_NIC1 from $VLAN10_NETWORK to $SEMARKNET
195. pass out log (all) on $VPN_NIC1 from $P_NIC_NETWORK to $SEMARKNET
196.  
197. pass in log (all) on $VPN_NIC1 from $SEMARKNET6 to $VLAN10_NETWORK6
198. pass in log (all) on $VPN_NIC1 from $SEMARKNET6 to $P_NIC_NETWORK6
199. pass out on $VPN_NIC1 from $VLAN10_NETWORK6 to $SEMARKNET6
200. pass out on $VPN_NIC1 from $P_NIC_NETWORK6 to $SEMARKNET6
201.  
202. [ ... ]
203.  
204. # protect SSH from SYN flood and bruteforce
205. pass in quick tagged SSH_IN synproxy state (max-src-conn 10, max-src-conn-rate 5/5, overload <bruteforce> flush global)
206.  
207. #block return # block stateless traffic
208. pass # establish keep-state
209.  
210. ## BLOCKING
211. # By default, do not permit remote connections to X11
212. block return in log (all) on ! lo0 proto tcp to port 6000:6010
213.  
214. # Block Netflix IPv6
215. block return in log (all) quick on { $P_NIC,$VLAN10_NIC,$VLAN20_NIC,$VLAN30_NIC,$VLAN40_NIC } inet6 proto tcp from any to <netflix-v6>
216.  
217. # Block bruteforce
218. block in log (all) quick from <bruteforce>