-
-
Save 2bithacker/2a172222485ab6c032d6 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
outside="{ em0.900 gif0 }" | |
vpn="{ gre0 gre1 }" | |
trust="em0" | |
untrust="em0.1003" | |
hev6_end="184.105.253.10" | |
sumo="172.20.10.32" | |
sumo6="2001:470:b896::32" | |
voip="172.20.10.34" | |
voipms="74.54.54.178" | |
table <sshguard> persist | |
table <bogon> persist file '/usr/local/etc/bogon-bn-agg.txt' | |
table <drones> persist file "/usr/local/etc/drones.txt" | |
set skip on lo | |
scrub in | |
nat on em0.900 inet from !(em0.900) -> (em0.900:0) | |
# for voip.ms | |
rdr on em0.900 inet proto udp from $voipms to port { 5060 10000:20000 } tag REDIR -> $voip | |
block log all | |
block in log quick on $outside from <bogon> | |
block in log quick on $outside from <sshguard> | |
pass quick proto icmp6 | |
pass quick inet6 proto udp from any to (em0.900) port 546 | |
antispoof log quick for lo | |
antispoof log quick for $trust | |
antispoof log quick for $untrust | |
antispoof log quick for $outside | |
# Allow in some local destined services | |
pass in on $outside inet proto icmp icmp-type { echoreq echorep unreach squench timex } tag ALLOW | |
pass in on $outside proto ipv6 from $hev6_end tag ALLOW | |
pass in on $outside tagged REDIR | |
pass in on $outside proto tcp to port ssh tag ALLOW | |
pass in on $outside proto { tcp udp } to port 655 tag ALLOW | |
pass in on $outside proto tcp to $sumo6 port 7650:7700 tag ALLOW | |
# incoming ike and esp | |
pass in on $outside proto udp from <drones> to any port isakmp tag ALLOW | |
pass in on $outside proto esp from <drones> tag ALLOW | |
# Classify incoming traffic | |
pass in quick on $vpn tag VPN | |
pass in quick on $trust tag TRUST | |
pass in log quick on $untrust tag UNTRUST | |
# Allow traffic out from internal nets | |
pass out quick on $outside | |
# Allow trusted areas to talk to each other, and let redirected traffic in | |
pass out quick on $trust tagged ALLOW | |
pass out quick on $trust tagged TRUST | |
pass out quick on $trust tagged REDIR | |
pass out quick on $trust tagged VPN | |
# Let the routers talk into the trusted space | |
pass out quick on em0 from em0 | |
pass out quick on tun0 from (tun0) | |
pass out quick on em0.1003 from (em0.1003) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment