# ---------------------------------------------------- # pf - config, based on hans pf.conf-altq # (http://www.xs4all.nl/~hanb/configs/pf.conf-altq) # # # to view the logfiles: # tcpdump -n -e -ttt -r /var/log/pflog # # to tail -f the logfile: (well not really but...) # tcpdump -n -e -ttt -i pflog0 # # use pfctl -s nat to show the effective nat-rules. # use pfctl -s rules to show your effective pf-rules. # # situation: # # +-- staff (admins) # | v # badguys - openbsd --+-- trusted hosts # (aka internet) | v # +-- fixed (have a fixed ip) # | # +-- guests (have a dynamic ip) # # ---------------------------------------------------- # --------------------- # generic confs # --------------------- set limit { states 30000, frags 30000 } set optimization aggressive set block-policy return # -------------------- # var defs # -------------------- EXT_IF = "tun0" INT_IF = "dc0" set loginterface $EXT_IF # read the pf-howto for details. TCP_OPTIONS = "flags S/SAFR keep state" UDP_OPTIONS = "keep state" # portnumbers. # chat icq = "5190" irc = "6667" ircproxy = "7666" ircproxy_dcc = "60000:60100" # services server = "{ ssh, http, https" \ $ircproxy $ircproxy_dcc "}" server_int = "{ ftp, ssh, http, https, domain, \ nameserver, bootps, bootpc, ntp" $irc "}" server_int_tcp = "{" $ircproxy $ircproxy_dcc "}" server_int_trusted = "{ ipp, \ netbios-ns, netbios-dgm, netbios-ssn, \ microsoft-ds, \ portmap, nfs }" server_int_trusted_tcp = "{ smtp, rsync, mysql }" # -------------------- # table defs # -------------------- # http://www.iana.org/assignments/ipv4-address-space # http://rfc.net/rfc1918.html table const { \ 0.0.0.0/8, 10.0.0.0/8, \ 20.20.20.0/24, 127.0.0.0/8, \ 169.254.0.0/16, 172.16.0.0/12, \ 192.0.2.0/24, 192.168.0.0/16, \ 224.0.0.0/3, 255.255.255.255 } table persist file "/etc/pf/hosts.staff" table persist file "/etc/pf/hosts.staff" \ file "/etc/pf/hosts.trusted" table persist file "/etc/pf/hosts.staff" \ file "/etc/pf/hosts.trusted" \ file "/etc/pf/hosts.fixed" # ------------------- # scrub rules # ------------------- # scrub in all # borks with linux nfs scrub in on $EXT_IF all # so we do it only on ext_if scrub in on $INT_IF all no-df # but no-df fixes it again :) # ---------- # altq rules # ---------- # altq on $EXT_IF priq bandwidth 120Kb queue { qp_low, qp_med, qp_high } # queue qp_low priority 0 priq # queue qp_med priority 3 priq(default) # queue qp_high priority 7 priq altq on $EXT_IF cbq bandwidth 760Kb queue { dsl_up, dsl_down } queue dsl_down bandwidth 760Kb cbq { low_down, med_down, high_down } queue low_down bandwidth 80% priority 1 cbq (red, borrow) queue med_down bandwidth 90% priority 3 cbq (default,red, borrow) queue high_down priority 5 cbq (red, borrow) queue dsl_up bandwidth 120Kb cbq { low_up, med_up, high_up } queue low_up bandwidth 75% priority 1 cbq (red, borrow) queue med_up bandwidth 90% priority 3 cbq (red, borrow) queue high_up priority 5 cbq (red, borrow) # --------- # Nat rules # --------- nat on $EXT_IF inet \ from $INT_IF:network \ to any -> ($EXT_IF) rdr on $INT_IF inet proto { udp, tcp } \ from $INT_IF:network \ to ! self port 6660:6680 -> self port $ircproxy # -------- # pf rules # -------- block out on $EXT_IF all # no services to the outside! block in on $EXT_IF all block in on $INT_IF inet proto {udp, tcp} \ from $INT_IF:network \ to self block drop in quick on $EXT_IF inet \ from any \ to ! ($EXT_IF) # --------------- # ALIENS/SPOOFERS # --------------- # These guys must be spoofing. block quick on $EXT_IF \ from \ to any label spoof # antispoof _has_ to be preceeded with pass in quick on lo0 all. pass in quick on lo0 all antispoof for { lo0, lo1, $INT_IF, $EXT_IF } # OS detection, yummy :) block drop in quick on $EXT_IF \ from ! os { SCO, NMAP } # ---- # ICMP # ---- pass out on $EXT_IF inet proto icmp \ all \ icmp-type 8 code 0 keep state queue high_up pass in on $EXT_IF inet proto icmp \ all \ icmp-type 8 code 0 keep state queue high_down # -------------------------------- # connect to clients in the lan # -------------------------------- # enemy territory # (download FROM et-servers) pass in quick on $EXT_IF proto udp \ from any \ to $INT_IF:network port 27960 \ $UDP_OPTIONS \ queue ( high_down, high_down ) # pass in quick on $INT_IF proto udp \ # from $INT_IF:network port 27960 \ # to any \ # keep state queue ( high_down, high_down ) # rest download FROM the internet # pass out quick on $INT_IF proto { udp, tcp } \ # from ! self \ # to $INT_IF:network \ # keep state queue med_down pass out quick on $INT_IF inet \ from self \ to $INT_IF:network keep state # -------------------------------- # internal services # -------------------------------- pass in quick on $INT_IF inet proto {udp,tcp} \ from $INT_IF:network \ to self port $server_int \ label "server_int $proto:$dstport" pass in quick on $INT_IF inet proto tcp \ from $INT_IF:network \ to self port $server_int_tcp \ label "server_int $proto:$dstport" pass in quick on $INT_IF inet proto {udp,tcp} \ from \ to self port $server_int_trusted \ label "server_int_trusted $proto:$dstport" pass in quick on $INT_IF inet proto tcp \ from \ to self port $server_int_trusted_tcp \ label "server_int_trusted $proto:$dstport" # -------------------------------- # anchors to load some later rules, # (eg mountd) # -------------------------------- anchor trusted_int on $INT_IF anchor fixed_int on $INT_IF anchor extern on $EXT_IF # -------------------------------- # external services # -------------------------------- pass in quick on $EXT_IF inet proto { udp, tcp } \ from any port { 993, http, https } \ to !self \ keep state queue (high_down, high_down) pass in quick on $EXT_IF inet proto tcp \ from any \ to ($EXT_IF) port $server \ $TCP_OPTIONS queue high_down \ label "server_ext $proto:$dstport" # --- # UDP - outbound # --- pass out quick on $EXT_IF inet proto udp \ from any \ to any port 53 \ $UDP_OPTIONS queue ( high_up, high_up ) \ label "normal_out $proto:$dstport" pass out quick on $EXT_IF inet proto udp \ all \ keep state queue (med_up, high_up) \ label "normal_out $proto:$dstport" # --- # TCP - outbound # --- pass out quick on $EXT_IF inet proto tcp \ from any \ to any port ssh \ keep state queue (high_up, high_up) \ label "ssh_out $proto:dstport" pass out quick on $EXT_IF inet proto tcp \ all \ keep state queue (med_up, high_up) \ label "normal_out $proto:$dstport" # # vim:ft=pf ###########################################################################