Basic FreeBSD PF firewall for web server - /etc/pf.conf
| # vim: set ft=pf | |
| # /etc/pf.conf | |
| ext_if="vtnet0" | |
| webports = "{http, https}" | |
| int_tcp_services = "{domain, ntp, smtp, www, https, ftp}" | |
| int_udp_services = "{domain, ntp}" | |
| set skip on lo | |
| set loginterface $ext_if | |
| # Normalization | |
| scrub in all random-id fragment reassemble | |
| block return in log all | |
| block out all | |
| antispoof quick for $ext_if | |
| # Block 'rapid-fire brute force attempts | |
| table <bruteforce> persist | |
| block quick from <bruteforce> | |
| # ftp-proxy needs to have an anchor | |
| anchor "ftp-proxy/*" | |
| # SSH is listening on port 26 | |
| pass in quick proto tcp to $ext_if port 26 keep state (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush global) | |
| # Webserver | |
| pass proto tcp from any to $ext_if port $webports | |
| # Allow essential outgoing traffic | |
| pass out quick on $ext_if proto tcp to any port $int_tcp_services | |
| pass out quick on $ext_if proto udp to any port $int_udp_services |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment