Permalink
Switch branches/tags
Nothing to show
Find file Copy path
8197b9e Aug 24, 2017
1 contributor

Users who have contributed to this file

130 lines (103 sloc) 3.43 KB
#
# pf.conf - Sample ruleset for OpenBSD's Packet Filter PF
# Copyright (c) 2017 Marco Ivaldi <raptor@0xdeadbeef.info>
#
# The pf(4) packet filter modifies, drops or passes packets according to
# rules or definitions specified in pf.conf(5). This is a sample ruleset
# for the configuration of a basic stateful packet filter.
#
# Tested on FreeBSD 11.0. Modify to fit your local configuration.
#
###############################################################################
# Macros
#
# User-defined variables may be defined and used later, simplifying the
# configuration file. Macros must be defined before they are referenced.
#
# interfaces
ext_if= "vtnet0"
#int_if= "vtnet1"
vpn_if= "tun0"
# networks
#ext_net= $ext_if:network
#int_net= $int_if:network
vpn_net= "10.8.0.0/24"
# hosts
#int_web= "192.168.0.3"
###############################################################################
# Tables
#
# Tables provide a mechanism for increasing the performance and flexibility
# of rules with large numbers of source or destination addresses.
#
# knockd command to populate this table: "pfctl -t knockd -T add %IP%"
table <knockd> persist
#table <private> const { 127/8, 10/8, 172.16/12, 192.168/16 }
#table <authpf_users> persist
###############################################################################
# Options
#
# Options tune the behaviour of the packet filtering engine.
#
set optimization normal
set block-policy drop
set skip on lo0
###############################################################################
# Traffic Normalization
#
# Traffic normalization protects internal machines against inconsistencies
# in Internet protocols and implementations.
#
scrub in
#scrub out
###############################################################################
# Queueing
#
# Queueing provides rule-based bandwidth control.
#
# <queueing rules go here>
###############################################################################
# Translation
#
# Translation rules specify how addresses are to be mapped or redirected to
# other addresses.
#
# ftp-proxy anchors
#nat-anchor "ftp-proxy/*"
#rdr-anchor "ftp-proxy/*"
# ip masquerading
nat on $ext_if inet from $vpn_net -> ($ext_if)
# ftp-proxy
#rdr pass on $int_if inet proto tcp to port 21 -> 127.0.0.1 port 8021
# private web server (authpf)
#rdr on $ext_if inet proto tcp to port 443 -> $int_web port 443
# tor redirects
rdr pass on $ext_if inet proto tcp to port 443 -> 127.0.0.1 port 9090
rdr pass on $ext_if inet proto tcp to port 80 -> 127.0.0.1 port 9091
###############################################################################
# Packet Filtering
#
# Packet filtering provides rule-based blocking or passing of packets.
#
# ftp-proxy anchor
#anchor "ftp-proxy/*"
# default policy
block in log
block out
# trusted interfaces
pass in quick on $vpn_if inet
pass out quick on $vpn_if inet
# egress filtering
#block out quick on $ext_if inet from !$ext_net
# anti-spoofing
#block drop in quick on $ext_if inet from <private>
# outbound traffic (icmp, udp, tcp)
pass out on $ext_if inet proto { icmp, udp, tcp } keep state
# inbound traffic (fw)
pass in on $ext_if inet proto udp from any to ($ext_if) \
port 53 keep state # vpn
pass in on $ext_if inet proto tcp from <knockd> to ($ext_if) \
port 22 flags S/SA keep state # ssh
# inbound traffic (int_web, authpf)
#pass in on $ext_if inet proto tcp from <authpf_users> to $int_web \
# port 443 flags S/SA keep state