Skip to content

Instantly share code, notes, and snippets.

@pedrompcaetano

pedrompcaetano/pf.conf

Last active March 19, 2019 09:55
Show Gist options
  • Save pedrompcaetano/08ff64f0057759a0cb87cbcb38c4906c to your computer and use it in GitHub Desktop.
Save pedrompcaetano/08ff64f0057759a0cb87cbcb38c4906c to your computer and use it in GitHub Desktop.
Download ZIP
Raw
pf.conf
table <leased_ip_table> persist
table <abandoned_ip_table> persist
#table <bruteforce>
icmp_types = "{ echoreq, unreach }"
icmp6_types = "{ echoreq unreach timex paramprob }"
ext_if="vlan100"
int_if="{ em1 em2 em3 }"
int_networks="{ em1:network, em2:network, em3:network }"
tcp_services="{ 20, 21, 22, 43, 80, 443, 989, 990 }"
udp_services="{ 53, 123, 1194 }"
v6broker=""
v6resolver=""
mediacenter=""
set skip on lo
set loginterface egress
block drop in all
#block quick from <bruteforce>
antispoof quick for (egress)
match proto { udp tcp } to port { domain ntp } set prio 6
match proto tcp to port ssh set prio 6
match in all scrub (no-df max-mss 1440)
#pass inet proto icmp all icmp-type $icmp_types tag GOOD
anchor "inet" on vlan100 {
# block quick from <bruteforce>
block all
pass inet proto ipv6 from ($ext_if) to $v6broker tag GOOD
pass inet proto icmp all icmp-type $icmp_types tag GOOD
pass in inet proto {tcp,udp} from any to any port 45555 rdr-to $mediacenter tag GOOD
pass in inet proto tcp from any to any port {80,443} tag GOOD
pass in inet proto tcp from any to any port 22 keep state (max-src-conn 50, max-src-conn-rate 3/15, overload <bruteforce> flush global ) tag GOOD
pass out inet proto udp to port 33433 >< 33626 tag GOOD # traceroute <--- ?
pass out from (self) to any tag GOOD
pass out inet from $int_networks to any nat-to (egress) tag GOOD
match out inet from $int_networks to any nat-to (egress) tag GOOD
pass out inet6 from em2:network to any tag GOOD
pass out inet6 proto udp from em2:network to $v6resolver port 53 tag GOOD
block out log inet ! tagged GOOD
block quick inet ! tagged GOOD
}
anchor "media" on em1 {
block all
pass in quick inet proto tcp to port 80 divert-to lo0 port 3129 tag GOOD
pass in inet tag GOOD
pass inet proto {tcp,udp} from any to $mediacenter tag GOOD
pass in inet from em1:network tag GOOD
pass in inet from 172.27.0.0/16 tag GOOD
pass in quick inet proto udp to port 53 rdr-to lo0 port 53 tag GOOD
pass inet proto icmp all icmp-type $icmp_types tag GOOD
pass out quick proto {tcp,udp} to any tag GOOD
block quick inet ! tagged GOOD
}
anchor "wifi" on em2 {
block all
pass in quick inet proto tcp to port 80 divert-to lo0 port 3129 tag GOOD
pass inet proto icmp all icmp-type $icmp_types tag GOOD
pass inet6 proto icmp6 icmp6-type $icmp6_types tag GOOD
pass out inet6 proto {tcp,udp} from $int_networks to any tag GOOD
pass in quick inet6 from any to 64:ff9b::/96 af-to inet from (egress:0) keep state tag GOOD
pass from em2:network tag GOOD
pass out quick inet6 from (self) to any
pass in quick inet proto udp to port 53 rdr-to lo0 port 53 tag GOOD
pass in inet tag GOOD
pass out quick proto {tcp,udp} from any to any tag GOOD
block quick inet ! tagged GOOD
}
anchor "erl" on em3 {
block all
pass in quick inet proto tcp to port 80 divert-to lo0 port 3129 tag GOOD
pass inet proto icmp all icmp-type $icmp_types tag GOOD
pass in inet tag GOOD
pass in quick inet proto udp to port 53 rdr-to lo0 port 53 tag GOOD
pass out quick proto {tcp,udp} from any to any tag GOOD
block quick inet ! tagged GOOD
}
anchor "inet6" on gif0 {
block all
pass inet6 proto icmp6 icmp6-type $icmp6_types tag GOOD
pass out inet6 proto {tcp,udp} from $int_networks to any tag GOOD
pass out inet6 proto {tcp,udp} from (gif0) to any tag GOOD
block quick inet6 ! tagged GOOD
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment