Permalink
Cannot retrieve contributors at this time
Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.
Sign up
Fetching contributors…
Cannot retrieve contributors at this time
| # $OpenBSD: pf.conf,v 1.55 2017/12/03 20:40:04 sthen Exp $ | |
| # | |
| # See pf.conf(5) and /etc/examples/pf.conf | |
| # read the log file: tcpdump -n -e -ttt -r /var/log/pflog | |
| # real-time logging: tcpdump -neq -ttt -i pflog0 | |
| # tcpdump -nettti pflog0 action drop | |
| # tcpdump -vvopn -i enc0 | |
| # show queue: pfctl -vvs queue | |
| # systat queues | |
| # show stats: pfctl -s info | |
| # systat pf | |
| # show states: pfctl -s states | |
| # systat states | |
| # table stats: pfctl -v -t martians -T show | |
| # show rule nr. 4: pfctl -v -s rules -R 4 | |
| # show rules, prepend rule numbers: pfctl -a '*' -vvsr | |
| # systat rules | |
| # show limits: pfctl -s memory | |
| # https://www.iana.org/assignments/iana-ipv4-special-registry/ | |
| # https://www.iana.org/assignments/iana-ipv6-special-registry/ | |
| table <martians> const persist counters { \ | |
| 0.0.0.0/8 10.0.0.0/8 100.64.0.0/10 127.0.0.0/8 169.254.0.0/16 \ | |
| 172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 192.168.0.0/16 198.18.0.0/15 \ | |
| 198.51.100.0/24 203.0.113.0/24 240.0.0.0/4 255.255.255.255/32 \ | |
| ::1/128 ::/128 ::/96 ::ffff:0:0/96 100::/64 2001::/32 2001:2::/48 \ | |
| 2001:db8::/32 fc00::/7 } | |
| # Full access table (for test) | |
| table <knownhosts> persist counters {} | |
| # Enable with: touch /etc/authpf/authpf.conf | |
| table <authpf_users> persist counters | |
| # Block bad hosts | |
| table <permanentban> persist counters file "/etc/pf.permanentban" | |
| # Update the adhosts IP list every month (!) see var/cron/tabs/root | |
| table <adhosts> persist counters file "/etc/pf.adhosts" | |
| # Update the malware IP list every month (!) see var/cron/tabs/root | |
| table <malware> persist counters file "/etc/pf.malware" | |
| # Scheduled access for "etc/pf.schedule" (!) see var/cron/tabs/root | |
| # https://marc.info/?l=openbsd-misc&m=149160678428354&w=2 | |
| table <schedule> persist counters | |
| # relayd | |
| include "/etc/pf.conf.macro.relayd" # relayd and fallback IP | |
| table <relay> persist counters { $rly_IPv4 $rly_IPv6 } | |
| table <httpfilter> persist counters {} | |
| table <tlsinspect> persist counters {} | |
| # Caesonia | |
| table <caesonia> persist counters { \ | |
| 203.0.113.1 \ | |
| 2001:0db8::1 \ | |
| 203.0.113.2 \ | |
| 2001:0db8::2 } | |
| # Options | |
| set loginterface egress | |
| set optimization normal | |
| set block-policy drop | |
| set syncookies adaptive (start 25%, end 12%) | |
| set skip on { lo0 } | |
| # Queue - HFSC with FQ-CoDel (reduce bufferbloat and achieve fairness) | |
| # (!) specify the upper bound within 90-95% of the expected bandwidth (bit/s) | |
| # (!) raise the default queue limit from 50 to 1024 (1:1 ratio with flows) | |
| queue outq on em0 bandwidth 9M max 9M flows 1024 qlimit 1024 default # 10Mb/s Up | |
| # Sanitizing packet content | |
| # no-df + random-id = unique IP identifiers | |
| # max-mss must match net.inet.tcp.mssdflt in /etc/sysctl.conf | |
| anchor "scrub" in { | |
| match in all scrub (no-df random-id max-mss 1440) | |
| } | |
| # NAT | |
| anchor "nat" out on egress inet tagged LAN_INET { | |
| match out log \ | |
| nat-to (egress:0) port 1024:65535 \ | |
| tag LAN_INET_NAT | |
| } | |
| # Classification -- classify packets based on the defined firewall policy. | |
| # Block spoofed traffic | |
| # http://man.openbsd.org/pf.conf#Blocking_Spoofed_Traffic | |
| antispoof log quick for { (egress) lo0 (enc) (tun) (vether) (tap) (vlan) (svlan) } | |
| antispoof log for { (lan) (wlan) } # why not quick? We allow them on enc | |
| # Block undesirable traffic | |
| anchor "block/all" | |
| anchor "block/in-quick-scan" in proto tcp | |
| anchor "block/in-quick-bad" in on egress | |
| anchor "block/out-quick-bad" out on egress | |
| load anchor "block" from "/etc/pf.conf.anchor.block" | |
| anchor "external" on egress { | |
| anchor out { | |
| # Outbound inet from LAN | |
| anchor "inet" inet tagged LAN_INET_NAT { | |
| pass log | |
| } | |
| # Outbound inet6 from LAN | |
| anchor "inet6" inet6 tagged LAN6_INET6 { | |
| pass log | |
| } | |
| # Outbound from self | |
| anchor "self" proto { ipv6 tcp udp } from (egress) { | |
| # DOMAIN | |
| pass log (user) proto { tcp udp } \ | |
| to port domain \ | |
| user { _unbound root } \ | |
| tag SELF_INET | |
| # NTP | |
| pass log (user) proto udp \ | |
| to port ntp \ | |
| user { _ntp root } \ | |
| tag SELF_INET | |
| # DHCP | |
| pass log (user) proto udp \ | |
| from port bootpc to port bootps \ | |
| tag SELF_INET | |
| # DHCPv6 | |
| # pass log inet6 proto udp \ | |
| # from port dhcpv6-client to ff02::1:2 port dhcpv6-server \ | |
| # tag SELF_INET | |
| # HTTP and HTTPS | |
| pass log (user) proto tcp \ | |
| to port { http https } \ | |
| user { _ntp _pfetch _pkgfetch _relayd _syspatch root puffy } \ | |
| tag SELF_INET | |
| # FTP | |
| pass log (user) proto tcp \ | |
| to port ftp \ | |
| group _ftp_proxy | |
| # Caesonia | |
| pass log proto tcp \ | |
| to <caesonia> port submission \ | |
| user _smtpd \ | |
| tag SELF_INET | |
| # SSH and WHOIS | |
| pass log (user) proto tcp \ | |
| to port { ssh whois } \ | |
| user { root puffy } \ | |
| tag SELF_INET | |
| # IPv6 HE.net (6in4) | |
| pass log proto ipv6 \ | |
| to 216.66.38.58 \ | |
| keep state (if-bound) | |
| } | |
| } | |
| # Inbound | |
| anchor in proto { ipv6 tcp udp } to (egress) { | |
| # IPv6 HE.net (6in4) | |
| pass log proto ipv6 \ | |
| from 216.66.38.58 \ | |
| keep state (if-bound) | |
| # DHCPv6 | |
| # pass log inet6 proto udp \ | |
| # to port dhcpv6-client \ | |
| # tag INET_SELF | |
| # relayd HTTP layer7 TLS acceleration | |
| # Avoid interface certificate for egress (split IPv4/6 for redirect) | |
| pass in log inet proto tcp \ | |
| to port https rdr-to <relay> \ | |
| tag INET_SELF | |
| pass in log inet6 proto tcp \ | |
| to port https rdr-to <relay> \ | |
| tag INET_SELF | |
| # relayd TCP layer7 SSH gateway | |
| # Scheduled access for "etc/pf.schedule" (!) see var/cron/tabs/root | |
| # https://marc.info/?l=openbsd-misc&m=149160678428354&w=2 | |
| pass log proto tcp \ | |
| from <schedule> to port 2222 \ | |
| keep state (max-src-conn-rate 100/10) \ | |
| label schedule \ | |
| tag INET_SELF | |
| # Allow traceroute | |
| # pass in log proto udp \ | |
| # to port { 33435:33525 } \ | |
| # keep state (max 32) \ | |
| # tag INET_SELF | |
| } | |
| } # end "external" | |
| # Relay daemon | |
| anchor "relayd/*" | |
| anchor "relayd_layer3" tagged RELAYD { | |
| pass log | |
| anchor "relayd_layer3_vpn" on { enc tun } { | |
| pass log keep state (if-bound) | |
| } | |
| } | |
| # Trivial File Transfer Protocol proxy | |
| anchor "tftp-proxy/*" | |
| # Secure forward ftp proxy | |
| # http://man.openbsd.org/ftp-proxy | |
| anchor "ftp-proxy/*" | |
| pass log tagged FTP_PROXY | |
| pass log tagged FTP_PROXY6 | |
| # Anchor rules for various authenticated peers | |
| # all child anchors (/*) within authpf anchor (loaded from | |
| # /etc/authpf/users/$USER/authpf.rules) will be evaluated | |
| anchor "authpf/*" from <authpf_users> | |
| match inet tagged AUTHPF_INET tag LAN_INET | |
| match inet6 tagged AUTHPF_INET tag LAN6_INET6 | |
| anchor "internal" on { lan wlan enc tun } proto { tcp udp } { | |
| # Inbound | |
| anchor in { | |
| # DHCPv6 Server for DNS requests (!) see etc/rtadvd.conf | |
| anchor inet6 proto udp from port dhcpv6-client to port dhcpv6-server { | |
| pass log from fe80::/10 to ff02::1:2 | |
| anchor on { enc tun } { | |
| pass log from fe80::/10 to ff02::1:2 keep state (if-bound) | |
| } | |
| } | |
| # Incoming traffic from trusted peers to LAN (VPN:network hack) | |
| anchor from { <knownhosts> <authpf_users> } to { (self:network) (tun)/24 (enc)/64 (enc)/24 } { | |
| anchor ! tagged VPN { | |
| pass log proto { tcp udp } tag LAN | |
| } | |
| anchor tagged VPN { | |
| pass log proto { tcp udp } keep state (if-bound) tag LAN | |
| } | |
| } | |
| # Incoming traffic from trusted peers to LAN_INET | |
| anchor from <knownhosts> ! tagged LAN { | |
| # nested tag check | |
| anchor ! tagged VPN { | |
| pass log proto { tcp udp } tag LAN_INET | |
| } | |
| anchor tagged VPN { | |
| pass log proto { tcp udp } keep state (if-bound) tag LAN_INET | |
| } | |
| } | |
| # ftp for trusted peers | |
| anchor proto tcp to port ftp tagged LAN_INET { | |
| pass log inet \ | |
| divert-to $fb1_IPv4 port 8021 \ | |
| tag LAN_SELF | |
| pass log inet6 \ | |
| divert-to $fb1_IPv6 port 8021 \ | |
| tag LAN6_SELF6 | |
| } | |
| # and guests | |
| # tftp-proxy (split IPv4/6) | |
| anchor on { lan wlan } proto udp to <relay> port tftp { | |
| pass log inet \ | |
| divert-to lo0 port 6969 \ | |
| tag LAN_SELF | |
| pass log inet6 \ | |
| divert-to lo0 port 6969 \ | |
| tag LAN6_SELF6 | |
| } | |
| # relayd UDP layer3 NTP redirect | |
| # Allow devices with hardcoded ntp servers to get local time (split IPv4/6) | |
| anchor proto udp to ! <relay> port ntp { | |
| pass in log inet \ | |
| rdr-to <relay> port ntp \ | |
| tag RELAYD | |
| pass in log inet6 \ | |
| rdr-to <relay> port ntp \ | |
| tag RELAYD | |
| } | |
| # relayd DNS layer7 DNS-sanitizing proxy | |
| anchor proto udp to <relay> port domain { | |
| anchor ! tagged VPN { | |
| pass log tag LAN_SELF | |
| } | |
| anchor tagged VPN { | |
| pass log keep state (if-bound) | |
| } | |
| } | |
| # relayd TCP layer7 SSH gateway | |
| anchor proto tcp to <relay> port 2222 { | |
| anchor ! tagged VPN { | |
| pass log tag LAN_SELF | |
| } | |
| anchor tagged VPN { | |
| pass log keep state (if-bound) | |
| } | |
| } | |
| # ssh to LAN_SELF | |
| anchor proto tcp to (vether0) port ssh { | |
| anchor ! tagged VPN { | |
| pass log tag LAN_SELF | |
| } | |
| anchor tagged VPN { | |
| pass log keep state (if-bound) | |
| } | |
| } | |
| # relayd HTTP layer7 TLS acceleration | |
| anchor proto tcp to <relay> port https { | |
| anchor ! tagged VPN { | |
| pass log tag LAN_SELF | |
| } | |
| anchor tagged VPN { | |
| pass log keep state (if-bound) | |
| } | |
| } | |
| # www (and Google Play) to LAN_INET | |
| anchor proto tcp to ! (self:network) port { http https 5228 } { | |
| anchor ! tagged VPN { | |
| pass log tag LAN_INET | |
| } | |
| anchor tagged VPN { | |
| pass log keep state (if-bound) tag LAN_INET | |
| } | |
| } | |
| # relayd HTTP layer7 HTTP proxy (split IPv4/6) | |
| anchor proto tcp from <httpfilter> to port http tagged LAN_INET { | |
| pass log inet \ | |
| divert-to $rly_IPv4 port 8080 \ | |
| tag LAN_SELF | |
| pass log inet6 \ | |
| divert-to $rly_IPv6 port 8080 \ | |
| tag LAN6_SELF6 | |
| } | |
| # relayd HTTP layer7 TLS inspection (split IPv4/6) | |
| anchor proto tcp from <tlsinspect> to port https tagged LAN_INET { | |
| pass log inet \ | |
| divert-to lo0 port 8443 \ | |
| tag LAN_SELF | |
| pass log inet6 \ | |
| divert-to lo0 port 8443 \ | |
| tag LAN6_SELF6 | |
| } | |
| # Split IPv4/6 from LAN_INET (!) not for proxy (e.g. divert-to, rdr-to) | |
| anchor inet6 tagged LAN_INET { | |
| match tag LAN6_INET6 | |
| } | |
| } | |
| # Outbound | |
| anchor out { | |
| # DHCPv6 Server for DNS requests | |
| # pass log inet6 proto udp \ | |
| # from { (lan) (wlan) } to fe80::/10 port dhcpv6-client \ | |
| # tag SELF6_LAN6 | |
| # Open LAN for trusted peers (keep tag) | |
| anchor tagged LAN { | |
| pass log proto { tcp udp } | |
| anchor on { enc tun } { | |
| pass log proto { tcp udp } keep state (if-bound) | |
| } | |
| } | |
| # Open LAN for self, skip VPN (keep tag) | |
| anchor proto { tcp udp } from (self) { | |
| pass log proto { tcp udp } | |
| anchor on { enc tun } { | |
| pass log proto { tcp udp } keep state (if-bound) | |
| } | |
| anchor proto { tcp udp } from port { l2tp isakmp ipsec-nat-t } { | |
| block log | |
| } | |
| } | |
| } | |
| } # end "internal" | |
| # SDN | |
| #anchor "sdn" on { vether tap } | |
| #load anchor "sdn" from "/etc/pf.conf.anchor.sdn" | |
| # VLAN | |
| anchor "vlan" on vlan proto { tcp udp } from (vlan:network) to (vlan:network) | |
| load anchor "vlan" from "/etc/pf.conf.anchor.vlan" | |
| # VPN (IKEv1 and IKEv2) | |
| anchor "vpn/vpn_if" on { egress lan wlan } proto { esp udp } | |
| anchor "vpn/vpn_enc" on enc proto { ipencap udp } | |
| anchor "vpn/vpn_echo" in on { enc tun } proto tcp to port echo | |
| load anchor "vpn" from "/etc/pf.conf.anchor.vpn" | |
| # ICMP and ICMP6 | |
| anchor "icmp/ipv4-icmp" inet proto icmp | |
| anchor "icmp/ipv6-icmp" inet6 proto icmp6 | |
| load anchor "icmp" from "/etc/pf.conf.anchor.icmp" | |