Skip to content

Instantly share code, notes, and snippets.

Last active Aug 14, 2022
What would you like to do?
Basic FreeBSD PF firewall for web server - /etc/pf.conf
# vim: set ft=pf
# /etc/pf.conf
webports = "{http, https}"
int_tcp_services = "{domain, ntp, smtp, www, https, ftp}"
int_udp_services = "{domain, ntp}"
set skip on lo
set loginterface $ext_if
# Normalization
scrub in all random-id fragment reassemble
block return in log all
block out all
antispoof quick for $ext_if
# Block 'rapid-fire brute force attempts
table <bruteforce> persist
block quick from <bruteforce>
# ftp-proxy needs to have an anchor
anchor "ftp-proxy/*"
# SSH is listening on port 26
pass in quick proto tcp to $ext_if port 26 keep state (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush global)
# Webserver
pass proto tcp from any to $ext_if port $webports
# Allow essential outgoing traffic
pass out quick on $ext_if proto tcp to any port $int_tcp_services
pass out quick on $ext_if proto udp to any port $int_udp_services
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment