Last active
November 12, 2018 22:58
-
-
Save cdcme/eaf55162933bc70ba61125182cda3c6c to your computer and use it in GitHub Desktop.
FreeBSD pf.conf ideas for services
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# See pf(4) and pf.conf(5) | |
# | |
# | |
# Author: Carlo DiCelico, June 2018 | |
# | |
# Notes: | |
# Required order is options, normalization, queuing, translation, filtering | |
# Translation rules match first, filtering rules match last | |
# Update IPs for your instance and customize rules for your service | |
# ----- 0. MACROS ----- | |
services = "{ domain, http, https, ntp }" | |
web_services = "{ http, https }" | |
# ICMP | |
icmp_types = "{ echoreq, unreach }" | |
# external interface | |
public_if = "vtnet0" | |
public_ip = "KADABRA_PUBLIC_IP" | |
# internal interface | |
private_if = "vtnet1" | |
private_ip = "KADABRA_PRIVATE_IP" | |
# jail interface | |
jail_if = "lo1" | |
jail_ip = "172.16.1.1" | |
jail_net = $jail_if:network | |
# black holes | |
table <bruteforce> persist | |
table <abusivehost> persist | |
# trusted - TODO: generate these from terraform based on fw rules | |
table <trusted_hosts_inet> persist file "/etc/pf/trusted_hosts_inet" | |
table <trusted_hosts_inet6> persist file "/etc/pf/trusted_hosts_inet6" | |
# ----- 1. OPTIONS ----- | |
# skip filtering loopback | |
set skip on lo0 | |
# debug only urgent | |
set debug urgent | |
# return rather than drop | |
set block-policy return | |
# out-of-the-box optimizations | |
set optimization normal | |
# timeouts | |
set timeout { tcp.closing 60, tcp.established 7200 } | |
# ----- 2. NORMALIZATION ----- | |
# scrub IB packets, reassemble, clear "do not fragment" bit, use random id, set max seg size to 1440b | |
scrub in all fragment reassemble no-df random-id max-mss 1440 | |
# ----- 3. QUEUEING ----- | |
# None (DO-managed) | |
# ----- 4. TRANSLATION ----- | |
# OB NAT for jails | |
nat on $public_if from $jail_net to any -> $public_ip port 1024:65535 static-port | |
# send web traffic to our jail - put your own NAT and redirect rules here | |
rdr pass on $public_if inet proto tcp to port $web_services -> $jail_if | |
# ----- 5. FILTERING ----- | |
# ----- INGRESS RULES ----- | |
# default block | |
block log | |
# activity from forged IPs | |
antispoof quick for { $public_if $private_if } | |
# limited ping support | |
pass inet proto icmp all icmp-type $icmp_types keep state (max-src-conn-rate 6/4, overload <abusivehosts> flush global) | |
pass inet6 proto icmp6 all icmp6-type $icmp_types keep state (max-src-conn-rate 6/4, overload <abusivehosts> flush global) | |
# rate-limited, potentially malicious hosts | |
block quick log from { <bruteforce> <abusivehosts> } | |
# disallowed services | |
block quick log on { $public_if $private_if } \ | |
proto { tcp, udp } \ | |
from any to any port { 111 67 } | |
# allow IB SSH to public_if from trusted hosts | |
pass in log inet proto { tcp udp } from <trusted_hosts_inet> to $public_if port ssh | |
# allow other IB services to any interface—customize this for your own needs | |
pass in log inet proto { tcp udp } from any to any port $services | |
# ----- EGRESS RULES ----- | |
# let jail traffic be translated | |
pass from { lo0, $jail_net } to any keep state | |
# allow all outgoing | |
pass out all keep state |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment