# OpenBSD: pf.conf ksh # # example of how a pf.conf looks like # # Copyright (C) 2004 Iron Software # -- ksh@ironsoftware.de # set up some variables internal=rl0 external=tun0 externalv6=gif0 homenet="{ 10.12.1.0/24 }" ipv6net="{ xxxx:xxx:xxxx:xxx::/64 }" ipv6end="{ 64.71.128.83/32, 64.71.128.84/32 }" spoofed="{ 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 255.255.255.255/32 }" lab="{ 10.12.1.20/32 }" windowz="{ 10.12.1.6/32 }" # options set loginterface $external set loginterface $internal set optimization aggressive set timeout tcp.established 3600 set timeout { tcp.opening 30, tcp.closing 120 } set limit { states 20000, frags 5000 } set block-policy return # Clean up fragmented and abnormal packets scrub in all scrub out all # nat and rdr nat on $external from $homenet to any -> $external ## redirect external ports to a special address rdr on $external proto tcp from any to any port X11 -> $windowz port X11 rdr on $external proto tcp from any to any port 6001 -> $lab port 6001 rdr on $external proto udp from any to any port xdmcp -> $lab port xdmcp rdr on $external proto tcp from any to any port ms-term-serv -> $windowz port ms-term-serv rdr on $external proto tcp from any to any port ftp -> 127.0.0.1 port 8021 rdr on $external proto tcp from any to any port 2122 -> 10.12.1.114 port 2121 # load tables ## table of konwn spammer network per table based ip list table persist file "/etc/pf/spammers" ## table of known dialin ranges table persist file "/etc/pf/blockdynamic" # accept lcoal network ipv4/6 traffic pass in quick on $internal inet from $homenet to $homenet pass out quick on $internal inet from $homenet to $homenet pass quick inet6 from $ipv6net to $ipv6net # block and log everything by default block in log on { $external, $externalv6 } all block out log on { $external, $externalv6 } all block return-rst in log on { $external, $externalv6 } proto tcp all block return-rst out log on { $external, $externalv6 } proto tcp all block return-icmp in log on { $external, $externalv6 } proto udp all block return-icmp out log on { $external, $externalv6 } proto udp all block return-icmp(host-unr) in log on { $external, $externalv6 } proto icmp all block return-icmp(host-unr) out log on { $external, $externalv6 } proto icmp all # Lets stop those leet hax0rz block in log quick on { $external, $externalv6 } proto tcp from any to any flags F/UP block in log quick on { $external, $externalv6 } proto tcp from any to any flags /SAFRPU block in log quick on { $external, $externalv6 } proto tcp from any to any flags SAFRU/SAFRU block in log quick on { $external, $externalv6 } proto tcp from any to any flags SF/SF block in log quick on { $external, $externalv6 } proto tcp from any to any flags SR/SR # block anything coming form source we have no back routes for block return-icmp(net-unr) in log from no-route to any # silently drop broadcasts (cable modem noise) block in log quick on $external from any to 255.255.255.255 # block denied and spam listed networks block return-icmp(host-unr) quick log on $external from to any block return-icmp(host-unr) quick log on $external from any to block return-icmp(host-unr) quick log on $external from to any # drop spoofed packets block return-icmp(net-unr) in log quick on $external from $spoofed to any block return-icmp(net-unr) out log quick on $external from $spoofed to any block return-icmp(net-unr) out log quick on $external from ! $external to any # block dyn isp ranges block drop in quick on $external inet proto tcp from to any \ port = smtp flags S/SA # anchor dynamic rules (could be filled later) anchor connectback # special rules to allow pasv ftp transfers and higher ports pass in on $external inet proto tcp from any to any \ port = ftp flags S/SA keep state pass in on $external inet proto tcp from any to 127.0.0.1 \ port = 8021 flags S/SA keep state # just Allow ssh, smtp, pop3, auth and https to the box pass in on $external inet proto tcp from any to any \ port = ssh flags S/SA modulate state # allow ipv6 tunnel gateway pass in on $external inet from $ipv6end to any keep state pass out on $external inet from any to $ipv6end keep state # accept ipv6 auth request pass in on $externalv6 inet6 proto tcp from any to "xxxx:xxx:xxxx:xxx:2e0:98ff:fe9f:d2e9/127" \ port = ircd flags S/SA keep state pass in on $externalv6 inet6 proto tcp from any to any \ port = auth flags S/SA keep state # archtec pass in on $externalv6 inet6 proto ipv6-icmp from "xxxx:xxx:xxxx:ffff::11a/27" to \ "xxxx:xxx:xxxx:ffff::11b/127" icmp6-type echoreq keep state pass in on $externalv6 inet6 proto ipv6-icmp from "3ffe:81d0:ffff::3/127" to \ "xxxx:xxx:xxxx:ffff::11b/127" icmp6-type echoreq keep state pass in on $externalv6 inet6 from "xxxx:xxx:xxx:xxx::/64" to $ipv6net \ flags S/SA keep state pass in on $externalv6 inet6 from "xxxx:xxx:xxx:xxx::ef/127" to $ipv6net \ flags S/SA keep state # accept tunnel gateway ipv4 ping pass in on $external inet proto icmp from $ipv6end to any \ icmp-type echoreq keep state # icmp packets pass in on $external inet proto icmp all icmp-type { unreach } pass out on $externalv6 inet6 proto ipv6-icmp all icmp6-type \ echoreq keep state # allow everything outgoing pass out on $external inet from any to any \ flags S/SA keep state pass out on $externalv6 inet6 from any to any \ flags S/SA keep state