cdcme/service-pf.conf

## service-pf.conf
# See pf(4) and pf.conf(5)
#
#
# Author: Carlo DiCelico, June 2018
#
# Notes:
#   Required order is options, normalization, queuing, translation, filtering
#   Translation rules match first, filtering rules match last
#   Update IPs for your instance and customize rules for your service


# ----- 0. MACROS -----

services = "{ domain, http, https, ntp }"
web_services = "{ http, https }"

# ICMP
icmp_types = "{ echoreq, unreach }"

# external interface
public_if = "vtnet0"
public_ip = "KADABRA_PUBLIC_IP"

# internal interface
private_if = "vtnet1"
private_ip = "KADABRA_PRIVATE_IP"

# jail interface
jail_if = "lo1"
jail_ip = "172.16.1.1"
jail_net = $jail_if:network

# black holes
table <bruteforce> persist
table <abusivehost> persist

# trusted - TODO: generate these from terraform based on fw rules
table <trusted_hosts_inet> persist file "/etc/pf/trusted_hosts_inet"
table <trusted_hosts_inet6> persist file "/etc/pf/trusted_hosts_inet6"

# ----- 1. OPTIONS -----

# skip filtering loopback
set skip on lo0

# debug only urgent
set debug urgent

# return rather than drop
set block-policy return

# out-of-the-box optimizations
set optimization normal

# timeouts
set timeout { tcp.closing 60, tcp.established 7200 }

# ----- 2. NORMALIZATION -----

# scrub IB packets, reassemble, clear "do not fragment" bit, use random id, set max seg size to 1440b
scrub in all fragment reassemble no-df random-id max-mss 1440

# ----- 3. QUEUEING -----

# None (DO-managed)

# ----- 4. TRANSLATION -----

# OB NAT for jails
nat on $public_if from $jail_net to any -> $public_ip port 1024:65535 static-port

# send web traffic to our jail - put your own NAT and redirect rules here
rdr pass on $public_if inet proto tcp to port $web_services -> $jail_if

# ----- 5. FILTERING -----

# ----- INGRESS RULES -----

# default block
block log

# activity from forged IPs
antispoof quick for { $public_if $private_if }

# limited ping support
pass inet proto icmp all icmp-type $icmp_types keep state (max-src-conn-rate 6/4, overload <abusivehosts> flush global)
pass inet6 proto icmp6 all icmp6-type $icmp_types keep state (max-src-conn-rate 6/4, overload <abusivehosts> flush global)

# rate-limited, potentially malicious hosts
block quick log from { <bruteforce> <abusivehosts> }

# disallowed services
block quick log on { $public_if $private_if } \
  proto { tcp, udp } \
  from any to any port { 111 67 }

# allow IB SSH to public_if from trusted hosts
pass in log inet proto { tcp udp } from <trusted_hosts_inet> to $public_if port ssh

# allow other IB services to any interface—customize this for your own needs
pass in log inet proto { tcp udp } from any to any port $services

# ----- EGRESS RULES -----

# let jail traffic be translated
pass from { lo0, $jail_net } to any keep state

# allow all outgoing
pass out all keep state
	# See pf(4) and pf.conf(5)
	#
	#
	# Author: Carlo DiCelico, June 2018
	#
	# Notes:
	# Required order is options, normalization, queuing, translation, filtering
	# Translation rules match first, filtering rules match last
	# Update IPs for your instance and customize rules for your service


	# ----- 0. MACROS -----

	services = "{ domain, http, https, ntp }"
	web_services = "{ http, https }"

	# ICMP
	icmp_types = "{ echoreq, unreach }"

	# external interface
	public_if = "vtnet0"
	public_ip = "KADABRA_PUBLIC_IP"

	# internal interface
	private_if = "vtnet1"
	private_ip = "KADABRA_PRIVATE_IP"

	# jail interface
	jail_if = "lo1"
	jail_ip = "172.16.1.1"
	jail_net = $jail_if:network

	# black holes
	table <bruteforce> persist
	table <abusivehost> persist

	# trusted - TODO: generate these from terraform based on fw rules
	table <trusted_hosts_inet> persist file "/etc/pf/trusted_hosts_inet"
	table <trusted_hosts_inet6> persist file "/etc/pf/trusted_hosts_inet6"

	# ----- 1. OPTIONS -----

	# skip filtering loopback
	set skip on lo0

	# debug only urgent
	set debug urgent

	# return rather than drop
	set block-policy return

	# out-of-the-box optimizations
	set optimization normal

	# timeouts
	set timeout { tcp.closing 60, tcp.established 7200 }

	# ----- 2. NORMALIZATION -----

	# scrub IB packets, reassemble, clear "do not fragment" bit, use random id, set max seg size to 1440b
	scrub in all fragment reassemble no-df random-id max-mss 1440

	# ----- 3. QUEUEING -----

	# None (DO-managed)

	# ----- 4. TRANSLATION -----

	# OB NAT for jails
	nat on $public_if from $jail_net to any -> $public_ip port 1024:65535 static-port

	# send web traffic to our jail - put your own NAT and redirect rules here
	rdr pass on $public_if inet proto tcp to port $web_services -> $jail_if

	# ----- 5. FILTERING -----

	# ----- INGRESS RULES -----

	# default block
	block log

	# activity from forged IPs
	antispoof quick for { $public_if $private_if }

	# limited ping support
	pass inet proto icmp all icmp-type $icmp_types keep state (max-src-conn-rate 6/4, overload <abusivehosts> flush global)
	pass inet6 proto icmp6 all icmp6-type $icmp_types keep state (max-src-conn-rate 6/4, overload <abusivehosts> flush global)

	# rate-limited, potentially malicious hosts
	block quick log from { <bruteforce> <abusivehosts> }

	# disallowed services
	block quick log on { $public_if $private_if } \
	proto { tcp, udp } \
	from any to any port { 111 67 }

	# allow IB SSH to public_if from trusted hosts
	pass in log inet proto { tcp udp } from <trusted_hosts_inet> to $public_if port ssh

	# allow other IB services to any interface—customize this for your own needs
	pass in log inet proto { tcp udp } from any to any port $services

	# ----- EGRESS RULES -----

	# let jail traffic be translated
	pass from { lo0, $jail_net } to any keep state

	# allow all outgoing
	pass out all keep state