-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathpf.conf
100 lines (81 loc) · 3.56 KB
/
pf.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
# $oPENbSD: pf.conf,v 1.55 2017/12/03 20:40:04 sthen Exp $
#
# See pf.conf(5) and /etc/examples/pf.conf
##################
#Variables #
##################
isp="em0"
lan="em1"
openvpn="em2"
management="em3"
##################
#Ports #
##################
#Allow outgoing traffic based on port IANA standards [LAN -> WAN]
#TCP 993 = IMAPS
#UDP 1194 = OpenVPN
#TCP 5222:5223 plus 5228 = WhatsApp
nat_tcp_ports="{ ssh, smtps, imaps, http, https, 993, 5222:5223, 5228 }"
nat_udp_ports="{ ntp, https, domain, 1194 }"
#Allow outgoing ping requests [LAN -> WAN]
icmp_types = "{ echoreq, unreach }"
##################
#Tables #
##################
#RFC1918 and RFC5735 local address ranges which should not be routed over the WAN back and forth [LAN <-> WAN]
table persist { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 192.168.0.0/16 192.88.99.0/24 198.18.0.0/15 198.51.100.0/24 203.0.113.0/24 224.0.0.0/4 240.0.0.0/4 248.0.0.0/5 255.255.255.255/32 }
#Blacklist session of bad WAN IP-address(es) [LAN <-> WAN]
table persist { 195.195.195.195/32 }
#SSH brute-force blacklist [Management network <> Edge firewall]
table persist
##################
#Security rules #
##################
#Skip any packet filtering on the localhost interface
set skip on lo0
#Drop all other traffic traffic unless it is whitelisted. PF automatically appends "keep state flags S/SA"
block drop all
#Dropping is less expensive than rejecting
set block-policy drop
#Reassemble packets
set reassemble yes
#Scrub packets
match in on $isp scrub (no-df max-mss 1440)
match out on $isp scrub (random-id)
#Block all traffic with a spoofed source IP-address from the network directly connected to the specified NIC from entering the system through any other NIC
antispoof quick for { $isp lo0 }
##################
#INPUT rules #
##################
#[LAN <- Martians & blacklisted IP-addresses]
#Block packets from wrong address ranges and blacklisted IPs
block drop in quick on $isp from {, } to any
#[LAN <-> LAN]
#Allow all incoming traffic on the LAN interface. The core firewall should handle the firewalling in this segmentation of the network
pass in on $lan
#[Management NIC <> Management]
#Allow SSH to the firewall only through port 22 with brute-force protection
block drop in quick on $management from to any
pass in on $management proto tcp from $management:network to $management port 22 flags S/SA keep state (max-src-conn 100, max-src-conn-rate 15/5, overload flush global)
##################
#OUTPUT rules #
##################
#[LAN -> Martians & blacklisted IPs]
#Do not sent RFC1918 IP-addresses over the WAN and do not access blacklisted IP-addresses
block drop out quick on $isp from any to {, }
#Allow traffic from the edge firewall WAN interface to route to the WAN for ping, nslookup and system updates
#[(em0) Firewall -> WAN]
#pass out on $isp proto { tcp udp icmp } from $isp:network to any
##################
#NAT #
##################
#[LAN <-> WAN]
#Perform NAT on the WAN interface for any packet coming from the LAN and replace the source IP address with the WAN gateway
#UDP
pass out proto udp from $lan:network to any port $nat_udp_ports nat-to $isp keep state
#TCP
pass out proto tcp from $lan:network to any port $nat_tcp_ports nat-to $isp modulate state
#ICMP (protocol used for ping)
pass out proto icmp all icmp-type $icmp_types nat-to $isp keep state
#WARNING: This line allows sessions from any port the WAN. Enable this line only for troubleshooting purposes
#pass out from $lan:network to any nat-to $isp keep state