-
-
Save nkhine/d03ea23a749c47bcc4d0 to your computer and use it in GitHub Desktop.
pf.conf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
### Interfaces ### | |
ExtIf ="igb0" | |
IntIf ="lo666" | |
### Hosts ### | |
IP_PUB ="192.168.0.1" | |
IP_JAIL = "{10.6.6.6, 10.6.6.7, 10.6.6.8}" | |
IP_JAIL_WWW = "10.6.6.6" | |
IP_JAIL_DBS = "10.6.6.7" | |
IP_JAIL_APP = "10.6.6.8" | |
NET_JAIL="10.6.6.0/24" | |
### Queues, States and Types ### | |
IcmpPing ="icmp-type 8 code 0" | |
SshQueue ="(ssh_bulk, ssh_login)" | |
SynState ="flags S/SA synproxy state" | |
TcpState ="flags S/SA modulate state" | |
UdpState ="keep state" | |
### Stateful Tracking Options (STO) ### | |
OpenSTO ="(max 90000, source-track rule, max-src-conn 1000, max-src-nodes 256)" | |
SmtpSTO ="(max 200, source-track rule, max-src-conn 10, max-src-nodes 256, max-src-conn-rate 200/30)" | |
SshSTO ="(max 100, source-track rule, max-src-conn 10, max-src-nodes 100, max-src-conn-rate 100/30, overload <BLOCKTEMP> flush global)" | |
WebSTO ="(max 4096, source-track rule, max-src-conn 64, max-src-nodes 512, max-src-conn-rate 500/100, overload <BLOCKTEMP> flush global)" | |
### Tables ### | |
table <BLOCKTEMP> counters | |
table <BLOCKPERM> counters file "/var/log/block_permanent" | |
table <spamd-white> | |
################ Options ###################################################### | |
### Misc Options | |
set skip on lo | |
set debug urgent | |
set block-policy drop | |
set loginterface $ExtIf | |
set state-policy if-bound | |
set fingerprints "/etc/pf.os" | |
set ruleset-optimization none | |
### Timeout Options | |
set optimization normal | |
set timeout { tcp.closing 60, tcp.established 7200} | |
################ Normalization ############################################### | |
# set-tos 0x1c is Maximize-Reliability + Minimize-Delay + Maximize-Throughput | |
scrub out log on $ExtIf all random-id min-ttl 15 set-tos 0x1c fragment reassemble | |
scrub in log on $ExtIf all min-ttl 15 fragment reassemble | |
################ Translation ################################################# | |
### NAT and Redirection rules are first match | |
PORT_WWW="{80,443}" | |
PORT_APP="{1337,8080}" | |
PORT_DBS="{6379,27017}" | |
scrub in all | |
# nat all jail traffic | |
nat pass on $ExtIf from $NET_JAIL to any -> $IP_PUB | |
# WWW | |
rdr pass on $ExtIf proto tcp from any to $IP_PUB port $PORT_WWW -> $IP_JAIL_WWW |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment