Basic FreeBSD PF firewall for web server - /etc/pf.conf
# vim: set ft=pf | |
# /etc/pf.conf | |
ext_if="vtnet0" | |
webports = "{http, https}" | |
int_tcp_services = "{domain, ntp, smtp, www, https, ftp}" | |
int_udp_services = "{domain, ntp}" | |
set skip on lo | |
set loginterface $ext_if | |
# Normalization | |
scrub in all random-id fragment reassemble | |
block return in log all | |
block out all | |
antispoof quick for $ext_if | |
# Block 'rapid-fire brute force attempts | |
table <bruteforce> persist | |
block quick from <bruteforce> | |
# ftp-proxy needs to have an anchor | |
anchor "ftp-proxy/*" | |
# SSH is listening on port 26 | |
pass in quick proto tcp to $ext_if port 26 keep state (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush global) | |
# Webserver | |
pass proto tcp from any to $ext_if port $webports | |
# Allow essential outgoing traffic | |
pass out quick on $ext_if proto tcp to any port $int_tcp_services | |
pass out quick on $ext_if proto udp to any port $int_udp_services |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment