Skip to content

Instantly share code, notes, and snippets.

@un1ko85
Created May 21, 2017 07:34
Show Gist options
  • Save un1ko85/05ee9d42dcc6f427d1eaf3272471d5c6 to your computer and use it in GitHub Desktop.
Save un1ko85/05ee9d42dcc6f427d1eaf3272471d5c6 to your computer and use it in GitHub Desktop.
pf.conf freebsd kiev server
#### First declare a couple of variables ####
### Outgoing tcp / udp port ####
### 43 - whois, 22 - ssh ###
tcp_services = "{ ssh, smtp, domain, www, https, 22, ntp, 43, 587}"
udp_services = "{ domain, ntp }"
### allow ping / pong ####
icmp_types = "{ echoreq, unreach }"
### Allow IP
enabled_ip = "{ 188.231.230.23, 188.231.222.49, 134.249.151.49 }"
set limit tables 5000 # default 1000
set limit table-entries 5000000 # default 100000
#### define tables. add all subnets and ips to block
table <blockedip> persist file "/etc/pf.block.ip.conf"
table <ssh-bruteforce> persist
table <fail2ban> persist
martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 }"
# connected to internet
ext_if = "igb0"
#### Normalization
#scrub provides a measure of protection against certain kinds of attacks based on incorrect handling of packet fragments
scrub in all
# Drop incoming everything
block in all
block return
# keep stats of outgoing connections
pass out keep state
# unlimited traffic for loopback
set skip on {lo0}
# activate spoofing protection for all interfaces
block in quick from urpf-failed
#antispoof is a common special case of filtering and blocking. This mechanism protects against activity from spoofed or forged IP addresses
antispoof log for $ext_if
#Block RFC 1918 addresses
# block drop in log (all) quick on $ext_if from $martians to any
# block drop out log (all) quick on $ext_if from any to $martians
# Block all ips
# pfctl -t blockedip -T show
block drop in log (all) quick on $ext_if from <blockedip> to any
# block drop out log (all) quick on $ext_if from any to <blockedip>
block drop in log (all) quick on $ext_if from <ssh-bruteforce> to any
block drop out log (all) quick on $ext_if from any to <ssh-bruteforce>
block drop in log (all) quick on $ext_if from <fail2ban> to any
block drop out log (all) quick on $ext_if from any to <fail2ban>
# allow outgoing
pass out on $ext_if proto tcp to any port $tcp_services
pass out on $ext_if proto udp to any port $udp_services
# Allow trace route
pass out on $ext_if inet proto udp from any to any port 33433 >< 33626 keep state
# Allow incoming ssh, http, bind traffic
# pass in on $ext_if proto tcp from any to any port 25
pass in on $ext_if proto tcp from any to any port ssh flags S/SA keep state \
(max-src-conn-rate 3/60, overload <ssh-bruteforce> flush global)
#pass in on $ext_if proto tcp from $enabled_ip to any
pass in on $ext_if proto udp from any to any port domain
pass in on $ext_if proto tcp from any to any port domain flags S/SA synproxy state
pass in on $ext_if proto tcp from any to any port { www https } flags S/SA keep state \
(max-src-conn 400, max-src-conn-rate 400/1, overload <blockedip> flush global)
pass in on $ext_if proto tcp from $enabled_ip to any
pass inet proto icmp all icmp-type $icmp_types keep state
## add your rule below ##
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment