Last active
June 15, 2017 19:09
-
-
Save michaelcoyote/62019efee09463d0d0ba to your computer and use it in GitHub Desktop.
An old OpenBSD pf.conf circa 3.1.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Basic openbsd pf.conf file circa 3.1. (would need updating to use) | |
# | |
# Required order: options, normalization, queueing, translation, filtering. | |
# Macros and tables may be defined and used anywhere. | |
# Note that translation rules are first match while filter rules are last match. | |
# Macros: define common values, so they can be referenced and changed easily. | |
ext_if="xl0" # replace with actual external interface name i.e., dc0 | |
external_addr="52.218.113.29" | |
# Internal network info if needed | |
#int_if="sis0" # replace with actual internal interface name i.e., dc1 | |
#internal_net="10.1.1.0/24" | |
# Tables: similar to macros, but more flexible for many addresses. | |
table <nonroute> { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.0/8, 255.255.255.255/32 } | |
# read in assholes table from /etc/assholes. the perfect place for kiddiots | |
table <assholes> persist file "/etc/assholes" | |
# Options: tune the behavior of pf, default values are given. | |
set timeout { interval 30, frag 10 } | |
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 } | |
set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 } | |
set timeout { udp.first 60, udp.single 30, udp.multiple 60 } | |
set timeout { icmp.first 20, icmp.error 10 } | |
set timeout { other.first 60, other.single 30, other.multiple 60 } | |
set limit { states 10000, frags 5000 } | |
set loginterface none | |
set optimization normal | |
set block-policy drop | |
set require-order yes | |
# Normalization: reassemble fragments and resolve or reduce traffic ambiguities. | |
scrub in all | |
# Queueing: rule-based bandwidth control. | |
#altq on $ext_if bandwidth 2Mb cbq queue { dflt, developers, marketing } | |
#queue dflt bandwidth 5% cbq(default) | |
#queue developers bandwidth 80% | |
#queue marketing bandwidth 15% | |
# | |
# From http://www.benzedrine.cx/ackpri.html | |
# Even when a TCP connection is used to send data only in one direction | |
# (like when downloading a file through ftp), TCP acknowledgements (ACKs) | |
# must be sent in the opposite direction, or the peer will assume that its | |
# packets got lost and retransmit them. To keep the peer sending data at | |
# the maximum rate, it's important to promptly send the ACKs back. | |
# When the uplink is saturated by other connections (like a concurrent | |
# upload), all outgoing packets get delayed equally by default. Hence, a | |
# concurrent upload saturating the uplink causes the outgoing ACKs for the | |
# download to get delayed, which causes the drop in the download | |
# throughput. | |
altq on $ext_if priq bandwidth 200Kb queue { q_pri, q_def } | |
queue q_pri priority 7 | |
queue q_def priority 1 priq(default) | |
pass out on $ext_if proto tcp from $ext_if to any flags S/SA \ | |
keep state queue (q_def, q_pri) | |
pass in on $ext_if proto tcp from any to $ext_if flags S/SA \ | |
keep state queue (q_def, q_pri) | |
pass out on $ext_if from any to any port 22 queue q_pri | |
pass out on $ext_if from any to any port 6667 queue q_pri | |
# Translation: specify how addresses are to be mapped or redirected. | |
# nat: packets going out through $ext_if with source address $internal_net will | |
# get translated as coming from the address of $ext_if, a state is created for | |
# such packets, and incoming packets will be redirected to the internal address. | |
#nat on $ext_if from $internal_net to any -> ($ext_if) | |
# rdr: packets coming in on $ext_if with destination $external_addr:1234 will | |
# be redirected to 10.1.1.1:5678. A state is created for such packets, and | |
# outgoing packets will be translated as coming from the external address. | |
#rdr on $ext_if proto tcp from any to $external_addr/32 port 1234 -> 10.1.1.1 port 5678 | |
# rdr outgoing FTP requests to the ftp-proxy | |
#rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021 | |
# spamd-setup puts addresses to be redirected into table <spamd>. | |
#table <spamd> persist | |
#no rdr on { lo0, lo1 } from any to any | |
#rdr inet proto tcp from <spamd> to any port smtp -> 127.0.0.1 port 8025 | |
# Filtering: the implicit first two rules are | |
pass in all | |
pass out all | |
# block all incoming packets but allow ssh, pass all outgoing tcp and udp | |
# connections and keep state, logging blocked packets. | |
block return-rst log on $ext_if proto tcp from any to any | |
block log on $ext_if from any to any | |
# don't allow anyone to spoof non-routeable addresses | |
block in log quick on $ext_if from <nonroute> to any | |
block out log quick on $ext_if from any to <nonroute> | |
#disallow assholes | |
block log quick on $ext_if from <assholes> to any | |
# allow ftp | |
pass in quick on $ext_if proto { tcp, udp } from any to any port = 20 keep state | |
pass out quick on $ext_if proto { tcp, udp } from any to any port = 20 keep state | |
pass in quick on $ext_if proto { tcp, udp } from any to any port = 21 keep state | |
pass in quick on $ext_if proto { tcp, udp } from any to any port 60000><65535 keep state | |
# ssh, smtp, dns, and ident... | |
pass in quick on $ext_if proto { tcp, udp } from any to any port = 22 keep state | |
pass in quick on $ext_if proto { tcp, udp } from any to any port = 25 keep state | |
# alternate smtp port | |
pass in quick on $ext_if proto { tcp, udp } from any to any port = 2525 keep state | |
pass in quick on $ext_if proto { tcp, udp } from any to any port = 53 keep state | |
pass in quick on $ext_if proto { tcp, udp } from any to any port = 113 keep state | |
# allow finger, but keep track of who uses it. | |
pass in log quick on $ext_if proto { tcp, udp } from any to any port = 79 keep state | |
# allow http and https | |
pass in quick on $ext_if proto { tcp, udp } from any to any port = 80 keep state | |
pass in quick on $ext_if proto { tcp, udp } from any to any port = 443 keep state | |
#allow spop and imaps | |
pass in quick on $ext_if proto { tcp, udp } from any to any port = 993 keep state | |
pass in quick on $ext_if proto { tcp, udp } from any to any port = 995 keep state | |
# ldap and ldaps disabled for now | |
#pass in quick on $ext_if proto { tcp, udp } from any to any port = 389 keep state | |
#pass in quick on $ext_if proto { tcp, udp } from any to any port = 636 keep state | |
# rsync disabled for now | |
#pass in quick on $ext_if proto { tcp, udp } from any to any port = 873 keep state | |
#allow jabber and sjabber irc disabled for now | |
pass in quick on $ext_if proto { tcp, udp } from any to any port = 5222 keep state | |
pass in quick on $ext_if proto { tcp, udp } from any to any port = 5223 keep state | |
pass in quick on $ext_if proto udp from any to any port = 5269 keep state | |
pass in quick on $ext_if proto tcp from any to any port = 5269 flags S/SA keep state | |
#pass in quick on $ext_if proto { tcp, udp } from any to any port = 6667 keep state | |
pass in quick on $ext_if proto udp from any to any port = 7000 keep state | |
# pass out/in certain ICMP queries and keep state (ping) | |
# state matching is done on host addresses and ICMP id (not | |
# type/code), so replies (like 0/0 for 8/0) will match queries | |
# ICMP error messages (which always refer to a TCP/UDP | |
# packet) are handled by the TCP/UDP states | |
# icmp network unreachable | |
pass in on $ext_if inet proto icmp all icmp-type 0 code 0 keep state | |
# icmp network unreachable | |
pass in quick on $ext_if inet proto icmp all icmp-type 3 code 0 keep state | |
# icmp echo request | |
pass in quick on $ext_if inet proto icmp all icmp-type 8 code 0 keep state | |
# icmp TTL = 0 (for traceroutes) | |
pass in quick on $ext_if inet proto icmp all icmp-type 11 code 0 keep state | |
# allow all icmp out by default | |
pass out quick on $ext_if inet proto icmp all keep state | |
# pass incoming packets destined to the addresses given in table <foo>. | |
# pass in on $ext_if proto { tcp, udp } from any to <foo> port 80 keep state | |
# and let out-going traffic out and maintain state on established connections | |
# -- The flags S on the keep state is to ensure that state tracking starts | |
# only on the first outbound packet in a tcp session. | |
# unnecessary consumption of state table entries. | |
# -- The flag s only works on the tcp protocol, so three entries are required | |
# to cover all three protocols (tcp, udp, icmp). | |
pass out quick on $ext_if proto tcp all flags S/SA keep state | |
pass out quick on $ext_if proto udp all keep state | |
# let everything out to everywhere | |
pass out quick on $ext_if proto { tcp, udp } all keep state | |
pass out on $ext_if all | |
# pass incoming ports for ftp-proxy | |
#pass in on $ext_if inet proto tcp from any to $ext_if user proxy keep state | |
# assign packets to a queue. | |
#pass out on $ext_if from 192.168.0.0/24 to any keep state queue developers | |
#pass out on $ext_if from 192.168.1.0/24 to any keep state queue marketing |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment