# $FreeBSD: src/etc/pf.conf,v 1.1.2.1 2004/09/17 18:27:14 mlaier # $OpenBSD: pf.conf,v 1.21 2003/09/02 20:38:44 david Exp $ # # See pf.conf(5) and /usr/share/examples/pf for syntax and examples. # Required order: options, normalization, queueing, translation, filtering. # Macros and tables may be defined and used anywhere. # Note that translation rules are first match while filter rules are last match. # Macros: define common values, so they can be referenced and changed easily. ext_if="dc0" # replace with actual external interface name i.e., dc0 int_if="rl0" # replace with actual internal interface name i.e., dc1 int_net="192.168.0.0/24" john="192.168.0.2" bob="192.168.0.6" laptop="192.168.0.88" server="192.168.0.5" # replace $john with whoever needs to use the blizzard downloader blizzard_client=$john johns_bittorrent_ports = 24336:25000 bobs_bittorrent_ports = 36541 johns_hamachi_port = 12345 bobs_hamachi_port = 24074 bf2_server_port = 16567 # uncomment to temporarily apply john's rules to the laptop #john=$laptop # Options: tune the behavior of pf, default values are given. #set timeout { interval 10, frag 30 } #set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 } #set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 } #set timeout { udp.first 60, udp.single 30, udp.multiple 60 } #set timeout { icmp.first 20, icmp.error 10 } #set timeout { other.first 60, other.single 30, other.multiple 60 } #set timeout { adaptive.start 0, adaptive.end 0 } #set limit { states 10000, frags 5000 } set loginterface $ext_if #set optimization normal set block-policy drop #set require-order yes #set fingerprints "/etc/pf.os" # Scrub rules scrub in all fragment reassemble # Bruteforce blocker table table persist file "/var/log/bftable" #################################################################### ###################### BEGIN VIRTUAL HOSTS ######################### #################################################################### # NAT for LAN to WAN nat on $ext_if from $int_net to any -> ($ext_if) # FTP proxy rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021 # HTTP virtual server rdr on $ext_if proto tcp from any to any port {80 443} -> $server # Hamachi rdr on $ext_if proto udp from any to any port $johns_hamachi_port -> $john rdr on $ext_if proto udp from any to any port $bobs_hamachi_port -> $bob # svnserve rdr on $ext_if proto tcp from any to any port 3690 -> $server # BF2 Server rdr on $ext_if proto tcp from any to any port $bf2_server_port -> $john # Limewire and blizzard downloader rdr on $ext_if proto {tcp udp} from any to any port {6112,3724,6881:6999} -> $blizzard_client # RDP #rdr on $ext_if proto tcp from any to any port 3389 -> $john # Bittorrent rdr on $ext_if proto {tcp udp} from any to any port $johns_bittorrent_ports -> $john rdr on $ext_if proto {tcp udp} from any to any port $bobs_bittorrent_ports -> $bob # SSH rdr on $ext_if proto tcp from any to ($ext_if) port 22 -> $server #################################################################### ############################ BEGIN RULES ########################### #################################################################### pass quick on lo0 block log label "Default deny" pass quick on $int_if from $int_net to any keep state pass out quick on $ext_if from ($ext_if) to any keep state label "LAN to WAN through NAT" block in log quick proto tcp from to ($ext_if) port ssh label "SSH brute force" pass quick on $ext_if proto tcp from any to $john port $bf2_server_port keep state label "BF2 Server" pass quick on $ext_if proto udp from any to {$john $bob} port {$johns_hamachi_port $bobs_hamachi_port} keep state label "Hamachi" #pass quick on $ext_if proto tcp from any to $john port 3389 keep state label "John's Remote Desktop" pass quick on $int_if proto tcp from $int_net to 192.168.0.1 port ssh keep state label "Safety SSH to firewall" pass log quick inet proto tcp from any to $server port { 80 443 3690 } keep state label "Virtual server" pass in log quick on $ext_if proto tcp from any to $server port ssh keep state ( max-src-nodes 3, max-src-states 2 ) label "WAN SSH access (fileserver)" pass quick on $ext_if proto {tcp udp} from any to $blizzard_client port {6112, 3724, 6881:6999} keep state label "Limewire and blizzard downloader" pass in quick on $ext_if proto {tcp udp} from any to {$john $bob} port {$johns_bittorrent_ports $bobs_bittorrent_ports} keep state label "Bittorrent" block log quick on $ext_if from any to any label "Fallback (block WAN)"