# $FreeBSD: src/etc/pf.conf,v 1.2 2004/09/14 01:07:18 mlaier Exp $ # $OpenBSD: pf.conf,v 1.21 2003/09/02 20:38:44 david Exp $ # # See pf.conf(5) and /usr/share/examples/pf for syntax and examples. # Required order: options, normalization, queueing, translation, filtering. # Macros and tables may be defined and used anywhere. # Note that translation rules are first match while filter rules are last match. # Macros: define common values, so they can be referenced and changed easily. #ext_if="ext0" # replace with actual external interface name i.e., dc0 #int_if="int0" # replace with actual internal interface name i.e., dc1 #internal_net="10.1.1.1/8" #external_addr="192.168.1.1" ext_if="rl0" lo="lo0" table const { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 } table const { 69.93.155.146/32, 221.139.50.25/32, 168.131.82.129/32, 61.219.134.90/32, 132.248.209.1/32 } #starfire="71.75.174.202" einstein="10.3.253.1" amber="10.3.253.2" tunnels="{ tun0, tun1, tun2, tun3, gif0, gif1, gif2, gif3 }" int_ifs="{ xl0, xl1, bfe0 }" int_nets="{ 10.3.4.0/24, 10.3.5.0/24, 10.3.6.0/24, 10.3.7.0/27, 10.3.253.0/29 }" openvpn="{ 5000, 5001, 5002 }" # nonce # nat # dax fw_if="xl0" # Tables: similar to macros, but more flexible for many addresses. #table { 10.0.0.0/8, !10.1.0.0/16, 192.168.0.0/24, 192.168.1.18 } # Options: tune the behavior of pf, default values are given. #set timeout { interval 10, frag 30 } #set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 } #set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 } #set timeout { udp.first 60, udp.single 30, udp.multiple 60 } #set timeout { icmp.first 20, icmp.error 10 } #set timeout { other.first 60, other.single 30, other.multiple 60 } #set timeout { adaptive.start 0, adaptive.end 0 } #set limit { states 10000, frags 5000 } #set loginterface none #set optimization normal #set block-policy drop #set require-order yes #set fingerprints "/etc/pf.os" # Normalization: reassemble fragments and resolve or reduce traffic ambiguities. #scrub in all scrub in all # Queueing: rule-based bandwidth control. #altq on $ext_if bandwidth 2Mb cbq queue { dflt, developers, marketing } #queue dflt bandwidth 5% cbq(default) #queue developers bandwidth 80% #queue marketing bandwidth 15% # Translation: specify how addresses are to be mapped or redirected. # nat: packets going out through $ext_if with source address $internal_net will # get translated as coming from the address of $ext_if, a state is created for # such packets, and incoming packets will be redirected to the internal address. #nat on $ext_if from $internal_net to any -> ($ext_if) # Nothing nat's through starfire anymore #nat on $ext_if from $int_nets to any -> $starfire # rdr: packets coming in on $ext_if with destination $external_addr:1234 will # be redirected to 10.1.1.1:5678. A state is created for such packets, and # outgoing packets will be translated as coming from the external address. #rdr on $ext_if proto tcp from any to $external_addr/32 port 1234 -> 10.1.1.1 port 5678 # rdr outgoing FTP requests to the ftp-proxy #rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021 # spamd-setup puts addresses to be redirected into table . #table persist #no rdr on { lo0, lo1 } from any to any #rdr inet proto tcp from to any port smtp -> 127.0.0.1 port 8025 # Filtering: the implicit first two rules are #pass in all #pass out all # block all incoming packets but allow ssh, pass all outgoing tcp and udp # connections and keep state, logging blocked packets. #block in log all #pass in on $ext_if proto tcp from any to $ext_if port 22 keep state #pass out on $ext_if proto { tcp, udp } all keep state # Default rules block in log all block out log all # Don't firewall localhost pass in on $lo pass out on $lo # Allow RR to do DHCP/BOOTP pass in quick on $ext_if inet proto { tcp, udp } to any port { 67, 68 } pass out quick on $ext_if inet proto { tcp, udp } to any port { 67, 68 } # Drop spoofed packets block in log quick on $ext_if from to any block out log quick on $ext_if from $ext_if to # Tunnels are by default secure, and unrestricted (stateless!) pass in on $tunnels pass out on $tunnels # Internal interfaces, pass all pass in on $int_ifs pass out on $int_ifs # Allow some services inbound # Don't specify destination, cause we're dynamic pass in on $ext_if inet proto icmp icmp-type echoreq keep state pass in on $ext_if inet proto tcp from any to any \ port { 22, 113 } flags S/SA keep state pass in on $ext_if inet proto udp from any to any \ port $openvpn keep state # Load-balance traffic between amber and einstein for all non-1918 addys #pass in on { xl1, bfe0 } route-to \ # { ($fw_if $einstein), ($fw_if $amber) } round-robin \ # inet proto { tcp, udp, icmp } to { ! } keep state # TCP -> einstein pass in on { xl1, bfe0 } route-to ($fw_if $einstein) \ inet proto tcp to { ! } keep state # { HTTPS, SSH } -> amber pass in on { xl1, bfe0 } route-to ($fw_if $amber) \ inet proto tcp to { ! } \ port { 22, 443 } keep state # UDP -> amber pass in on { xl1, bfe0 } route-to ($fw_if $amber) \ inet proto udp to { ! } keep state # ICMP -> amber pass in on { xl1, bfe0 } route-to ($fw_if $amber) \ inet proto icmp to { ! } keep state # tacolinux MIP #pass in on bfe0 route-to (tun2 10.3.254.18) from 10.3.5.100 to { ! } # Allow connections out from $starfire pass out on $ext_if inet proto { tcp, udp, icmp } all keep state # Disallow bad hosts block in log on $ext_if from to any # pass incoming packets destined to the addresses given in table . #pass in on $ext_if proto { tcp, udp } from any to port 80 keep state # pass incoming ports for ftp-proxy #pass in on $ext_if inet proto tcp from any to $ext_if user proxy keep state # assign packets to a queue. #pass out on $ext_if from 192.168.0.0/24 to any keep state queue developers #pass out on $ext_if from 192.168.1.0/24 to any keep state queue marketing