Created
October 14, 2015 12:37
-
-
Save cypres/3bbb22d09045692096d3 to your computer and use it in GitHub Desktop.
NPF Firewall Config
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Max 3 mio states | |
| set limit states 3000000 | |
| # Adaptive state timeouts | |
| set timeout { adaptive.start 400000, adaptive.end 3000000 } | |
| # Own Traffic (front net does not route) | |
| nat on ix0 from 212.98.89.24/30 -> 212.98.117.0/25 round-robin | |
| # NAT NPF traffic with source hashing | |
| # Use a static random hash to keep public IP across firewall changes/reloads | |
| nat on ix0 from 10.0.0.0/8 -> 212.98.117.0/25 source-hash 0x31054b6497c77f6267f9f8d6c77b5684 | |
| # Pass NPF traffic going out | |
| pass in on ix1 to !10.0.0.0/8 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| net.inet.ip.forwarding=1 | |
| net.inet.ip.fastforwarding=1 | |
| # Tuning guide: https://calomel.org/freebsd_network_tuning.html | |
| kern.ipc.maxsockbuf=34078720 | |
| net.inet.tcp.sendbuf_max=16777216 # (default 2097152) | |
| net.inet.tcp.recvbuf_max=16777216 # (default 2097152) | |
| net.inet.tcp.mssdflt=1460 | |
| net.inet.tcp.ecn.enable=1 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment