Created
June 5, 2014 16:52
-
-
Save fcayci/da6999528450ed30d1b2 to your computer and use it in GitHub Desktop.
Sample FreeBSD pf firewall configuration
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # /etc/pf.conf | |
| ########################################## | |
| # MACROS | |
| ########################################## | |
| WANIF = "vlan1337" | |
| LANIF = "en0" | |
| VPNIF = "{tun0, tun1}" | |
| WANAD = "2.2.2.2/32" | |
| LANAD = "1.1.1.2/32" | |
| NATPROTO = "{tcp, udp, icmp}" | |
| VPNPORT = "{1194, 1195}" | |
| SSHPORT = "22" | |
| HTTPPORT = "80" | |
| NTPPORT = "123" | |
| AFPPORT = "548" | |
| GITPORT = "9418" | |
| #SVNPORT = "3690" | |
| ########################################## | |
| # TABLES | |
| ########################################## | |
| table <internalnets> persist {1.1.1.0/24} | |
| table <vpnnets> persist {1.1.2.0/24, 1.1.3.0/24} | |
| table <privatenets> persist {10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 224.0.0.0/4, 240.0.0.0/4, 127.0.0.0/8, 0.0.0.0} | |
| ########################################## | |
| # OPTIONS | |
| ########################################## | |
| set loginterface $LANIF | |
| set loginterface $WANIF | |
| set timeout { interval 10, frag 30 } | |
| set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 } | |
| set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 } | |
| set timeout { udp.first 60, udp.single 30, udp.multiple 60 } | |
| set timeout { icmp.first 20, icmp.error 10 } | |
| set timeout { other.first 60, other.single 30, other.multiple 60 } | |
| set optimization normal | |
| set fingerprints "/etc/pf.os" | |
| # Protect firewall from buffer overflow and DDOS attacks | |
| set limit { frags 30000, states 25000 } | |
| # Normalize the requests coming to open ports | |
| scrub in log on $WANIF inet proto tcp from any to $WANAD port {$SSHPORT,$HTTPPORT} | |
| ########################################## | |
| # TRANSLATION RULES (NAT) | |
| ########################################## | |
| nat on $WANIF from <vpnnets> to any -> ($WANIF) | |
| nat on $WANIF from <vpnnets> to <internalnets> -> ($LANIF) | |
| ########################################## | |
| # FILTER RULES | |
| ########################################## | |
| # Block everything by default | |
| block in log all label "Default deny rule" | |
| block out log all label "Default deny rule" | |
| # Anti-lockout rule! | |
| pass in quick on $LANIF inet proto tcp from 1.1.1.3 to any keep state label "anti-lockout rule" | |
| # Just in case | |
| block quick proto { tcp, udp } from any port = 0 to any label "You shouldnt exist!" | |
| block quick proto { tcp, udp } from any to any port = 0 label "You shouldnt exist!" | |
| # Block all IPv6 | |
| block quick inet6 all label "No IPv6 for now baby!" | |
| # Dropbox LAN sync | |
| block quick proto udp from any port 17500 to any port 17500 label "block dropbox LAN sync" | |
| # Allow all traffic to loopback interface. | |
| pass quick on lo0 all | |
| # Allow all traffic on internal interface. | |
| pass on $LANIF all | |
| ########################################## | |
| # INBOUND | |
| ########################################## | |
| # Block private networks | |
| #block in quick log on $WANIF from <privatenetworks> to any label "wrong time, wrong place" | |
| # Allow SSH in | |
| pass in quick on $WANIF inet proto tcp from any to any port $SSHPORT modulate state (max-src-states 5) | |
| # Allow HTTP in | |
| #pass in quick on $WANIF proto tcp from any to any port $HTTPPORT modulate state (max-src-states 3) | |
| pass in quick on $WANIF proto tcp from any to any port $HTTPPORT modulate state | |
| # Allow git in | |
| #pass in quick proto tcp from any to any port $GITPORT label "Git" | |
| # Allow svn in | |
| #pass in quick proto tcp from any to any port $SVNPORT label "SVN" | |
| # Allow ntp in | |
| pass in quick proto udp from any to any port $NTPPORT label "NTP" | |
| # Allow VPN in | |
| pass in quick proto udp from any to any port $VPNPORT keep state label "OpenVPN" | |
| #pass quick on $VPNIF keep state | |
| pass in quick on $VPNIF inet all | |
| # Allow AFP in | |
| #pass in quick on $WANIF inet proto tcp from any to any port $AFPPORT keep state label "AFP" | |
| ########################################## | |
| # OUTBOUND | |
| ########################################## | |
| # Allow icmp out | |
| pass out quick inet proto icmp all icmp-type echoreq keep state | |
| # Allow dns out | |
| #pass out quick proto udp from any to any port $DNSPORT label "DNS" | |
| # Allow ntp out | |
| pass out quick proto udp from any to any port $NTPPORT label "NTP" | |
| # Allow VPN traffic to all internal interfaces. | |
| pass out quick on $WANIF from any to any keep state | |
| pass out quick on $VPNIF inet all | |
| # Allow root to go out and make updates | |
| #pass out quick on $WANIF proto {tcp,udp} from any to any user root | |
| # Prevent hijacking on external and internal interfaces | |
| antispoof for $LANIF | |
| antispoof for $WANIF | |
| # Debug purposes | |
| #pass in log all |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment