# $FreeBSD: src/etc/pf.conf,v 1.1.2.1 2004/09/17 18:27:14 mlaier # $OpenBSD: pf.conf,v 1.21 2003/09/02 20:38:44 david Exp $ # # See pf.conf(5) and /usr/share/examples/pf for syntax and examples. # Required order: options, normalization, queueing, translation, filtering. # Macros and tables may be defined and used anywhere. # Note that translation rules are first match while filter rules are last match. # Macros: define common values, so they can be referenced and changed easily. ext_if="dc0" # replace with actual external interface name i.e., dc0 int_if="rl0" # replace with actual internal interface name i.e., dc1 int_net="192.168.0.0/24" john="192.168.0.2" bob="192.168.0.6" laptop="192.168.0.23" server="192.168.0.5" xbox="192.168.0.101" # uncomment to temporarily apply john's rules to the laptop #john=$laptop bittorrent_ports = 55000:56000 johns_hamachi_port = 12345 bobs_hamachi_port = 24074 xbox_live_port = 3074 xbox_live_port2 = 88 # Options: tune the behavior of pf, default values are given. #set timeout { interval 10, frag 30 } #set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 } #set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 } #set timeout { udp.first 60, udp.single 30, udp.multiple 60 } #set timeout { icmp.first 20, icmp.error 10 } #set timeout { other.first 60, other.single 30, other.multiple 60 } #set timeout { adaptive.start 0, adaptive.end 0 } #set limit { states 10000, frags 5000 } set loginterface $ext_if #set optimization normal set block-policy drop #set require-order yes #set fingerprints "/etc/pf.os" # Scrub rules scrub in all fragment reassemble # Bruteforce blocker table table persist file "/var/log/bftable" altq on $int_if priq bandwidth 100% queue {std, ssh, bt, http, p2p} altq on $ext_if priq bandwidth 5Mb queue {std, ssh, bt, http, p2p} queue ssh priority 1 priq queue http priority 2 priq queue std priority 10 priq (default) queue p2p priority 13 priq (red, ecn) queue bt priority 15 priq (red, ecn) #################################################################### ###################### BEGIN VIRTUAL HOSTS ######################### #################################################################### # NAT for LAN to WAN nat on $ext_if from $int_net to any -> ($ext_if) # FTP proxy rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021 # HTTP virtual server rdr on $ext_if proto tcp from any to any port {80 443} -> $server # Hamachi rdr on $ext_if proto udp from any to any port $johns_hamachi_port -> $john rdr on $ext_if proto udp from any to any port $bobs_hamachi_port -> $bob # svnserve rdr on $ext_if proto tcp from any to any port 3690 -> $server # Bittorrent rdr on $ext_if proto {tcp udp} from any to any port $bittorrent_ports -> $server # SSH rdr on $ext_if proto tcp from any to ($ext_if) port 22 -> $server #xbox live rdr on $ext_if proto {tcp udp} from any to any port $xbox_live_port -> $xbox rdr on $ext_if proto {tcp udp} from any to any port $xbox_live_port2 -> $xbox #################################################################### ############################ BEGIN RULES ########################### #################################################################### pass quick on lo0 block log label "Default deny" pass quick on $int_if from $int_net to any keep state pass out quick on $ext_if from ($ext_if) to any keep state label "LAN to WAN through NAT" block in log quick proto tcp from to ($ext_if) port ssh label "SSH brute force" # To John # To Bob # To Bob and John pass quick on $ext_if proto udp from any to {$john $bob} port {$johns_hamachi_port $bobs_hamachi_port} keep state label "Hamachi" # To Server pass log quick inet proto tcp from any to $server port { 80 443 3690 } keep state label "Virtual server" queue http pass in quick on $ext_if proto {tcp udp} from any to $server \ port {$bittorrent_ports} keep state label "Bittorrent" queue bt pass in log quick on $ext_if proto tcp from any to $server \ port ssh keep state ( max-src-nodes 3, max-src-states 2 ) label "WAN SSH access (fileserver)" queue ssh pass in log quick on $ext_if proto tcp from any to ($ext_if) \ port ssh keep state ( max-src-nodes 3, max-src-states 2 ) label "WAN SSH access (gateway)" queue ssh pass quick on $int_if proto tcp from $int_net to 192.168.0.1 port ssh keep state label "Safety SSH to firewall" queue ssh # To Xbox 360 pass in quick on $ext_if proto {tcp udp} from any to $xbox port 88 keep state label "Xbox Live" pass in quick on $ext_if proto {tcp udp} from any to $xbox port 3074 keep state label "Xbox Live" block log quick on $ext_if from any to any label "Fallback (block WAN)"