Permalink
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
417 lines (358 sloc) 10.9 KB
# $OpenBSD: pf.conf,v 1.55 2017/12/03 20:40:04 sthen Exp $
#
# See pf.conf(5) and /etc/examples/pf.conf
# read the log file: tcpdump -n -e -ttt -r /var/log/pflog
# real-time logging: tcpdump -neq -ttt -i pflog0
# tcpdump -nettti pflog0 action drop
# tcpdump -vvopn -i enc0
# show queue: pfctl -vvs queue
# systat queues
# show stats: pfctl -s info
# systat pf
# show states: pfctl -s states
# systat states
# table stats: pfctl -v -t martians -T show
# show rule nr. 4: pfctl -v -s rules -R 4
# show rules, prepend rule numbers: pfctl -a '*' -vvsr
# systat rules
# show limits: pfctl -s memory
# https://www.iana.org/assignments/iana-ipv4-special-registry/
# https://www.iana.org/assignments/iana-ipv6-special-registry/
table <martians> const persist counters { \
0.0.0.0/8 10.0.0.0/8 100.64.0.0/10 127.0.0.0/8 169.254.0.0/16 \
172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 192.168.0.0/16 198.18.0.0/15 \
198.51.100.0/24 203.0.113.0/24 240.0.0.0/4 255.255.255.255/32 \
::1/128 ::/128 ::/96 ::ffff:0:0/96 100::/64 2001::/32 2001:2::/48 \
2001:db8::/32 fc00::/7 }
# Full access table (for test)
table <knownhosts> persist counters {}
# Enable with: touch /etc/authpf/authpf.conf
table <authpf_users> persist counters
# Block bad hosts
table <permanentban> persist counters file "/etc/pf.permanentban"
# Update the adhosts IP list every month (!) see var/cron/tabs/root
table <adhosts> persist counters file "/etc/pf.adhosts"
# Update the malware IP list every month (!) see var/cron/tabs/root
table <malware> persist counters file "/etc/pf.malware"
# Scheduled access for "etc/pf.schedule" (!) see var/cron/tabs/root
# https://marc.info/?l=openbsd-misc&m=149160678428354&w=2
table <schedule> persist counters
# relayd
include "/etc/pf.conf.macro.relayd" # relayd and fallback IP
table <relay> persist counters { $rly_IPv4 $rly_IPv6 }
table <httpfilter> persist counters {}
table <tlsinspect> persist counters {}
# Caesonia
table <caesonia> persist counters { \
203.0.113.1 \
2001:0db8::1 \
203.0.113.2 \
2001:0db8::2 }
# Options
set loginterface egress
set optimization normal
set block-policy drop
set syncookies adaptive (start 25%, end 12%)
set skip on { lo0 }
# Queue - HFSC with FQ-CoDel (reduce bufferbloat and achieve fairness)
# (!) specify the upper bound within 90-95% of the expected bandwidth (bit/s)
# (!) raise the default queue limit from 50 to 1024 (1:1 ratio with flows)
queue outq on em0 bandwidth 9M max 9M flows 1024 qlimit 1024 default # 10Mb/s Up
# Sanitizing packet content
# no-df + random-id = unique IP identifiers
# max-mss must match net.inet.tcp.mssdflt in /etc/sysctl.conf
anchor "scrub" in {
match in all scrub (no-df random-id max-mss 1440)
}
# NAT
anchor "nat" out on egress inet tagged LAN_INET {
match out log \
nat-to (egress:0) port 1024:65535 \
tag LAN_INET_NAT
}
# Classification -- classify packets based on the defined firewall policy.
# Block spoofed traffic
# http://man.openbsd.org/pf.conf#Blocking_Spoofed_Traffic
antispoof log quick for { (egress) lo0 (enc) (tun) (vether) (tap) (vlan) (svlan) }
antispoof log for { (lan) (wlan) } # why not quick? We allow them on enc
# Block undesirable traffic
anchor "block/all"
anchor "block/in-quick-scan" in proto tcp
anchor "block/in-quick-bad" in on egress
anchor "block/out-quick-bad" out on egress
load anchor "block" from "/etc/pf.conf.anchor.block"
anchor "external" on egress {
anchor out {
# Outbound inet from LAN
anchor "inet" inet tagged LAN_INET_NAT {
pass log
}
# Outbound inet6 from LAN
anchor "inet6" inet6 tagged LAN6_INET6 {
pass log
}
# Outbound from self
anchor "self" proto { ipv6 tcp udp } from (egress) {
# DOMAIN
pass log (user) proto { tcp udp } \
to port domain \
user { _unbound root } \
tag SELF_INET
# NTP
pass log (user) proto udp \
to port ntp \
user { _ntp root } \
tag SELF_INET
# DHCP
pass log (user) proto udp \
from port bootpc to port bootps \
tag SELF_INET
# DHCPv6
# pass log inet6 proto udp \
# from port dhcpv6-client to ff02::1:2 port dhcpv6-server \
# tag SELF_INET
# HTTP and HTTPS
pass log (user) proto tcp \
to port { http https } \
user { _ntp _pfetch _pkgfetch _relayd _syspatch root puffy } \
tag SELF_INET
# FTP
pass log (user) proto tcp \
to port ftp \
group _ftp_proxy
# Caesonia
pass log proto tcp \
to <caesonia> port submission \
user _smtpd \
tag SELF_INET
# SSH and WHOIS
pass log (user) proto tcp \
to port { ssh whois } \
user { root puffy } \
tag SELF_INET
# IPv6 HE.net (6in4)
pass log proto ipv6 \
to 216.66.38.58 \
keep state (if-bound)
}
}
# Inbound
anchor in proto { ipv6 tcp udp } to (egress) {
# IPv6 HE.net (6in4)
pass log proto ipv6 \
from 216.66.38.58 \
keep state (if-bound)
# DHCPv6
# pass log inet6 proto udp \
# to port dhcpv6-client \
# tag INET_SELF
# relayd HTTP layer7 TLS acceleration
# Avoid interface certificate for egress (split IPv4/6 for redirect)
pass in log inet proto tcp \
to port https rdr-to <relay> \
tag INET_SELF
pass in log inet6 proto tcp \
to port https rdr-to <relay> \
tag INET_SELF
# relayd TCP layer7 SSH gateway
# Scheduled access for "etc/pf.schedule" (!) see var/cron/tabs/root
# https://marc.info/?l=openbsd-misc&m=149160678428354&w=2
pass log proto tcp \
from <schedule> to port 2222 \
keep state (max-src-conn-rate 100/10) \
label schedule \
tag INET_SELF
# Allow traceroute
# pass in log proto udp \
# to port { 33435:33525 } \
# keep state (max 32) \
# tag INET_SELF
}
} # end "external"
# Relay daemon
anchor "relayd/*"
anchor "relayd_layer3" tagged RELAYD {
pass log
anchor "relayd_layer3_vpn" on { enc tun } {
pass log keep state (if-bound)
}
}
# Trivial File Transfer Protocol proxy
anchor "tftp-proxy/*"
# Secure forward ftp proxy
# http://man.openbsd.org/ftp-proxy
anchor "ftp-proxy/*"
pass log tagged FTP_PROXY
pass log tagged FTP_PROXY6
# Anchor rules for various authenticated peers
# all child anchors (/*) within authpf anchor (loaded from
# /etc/authpf/users/$USER/authpf.rules) will be evaluated
anchor "authpf/*" from <authpf_users>
match inet tagged AUTHPF_INET tag LAN_INET
match inet6 tagged AUTHPF_INET tag LAN6_INET6
anchor "internal" on { lan wlan enc tun } proto { tcp udp } {
# Inbound
anchor in {
# DHCPv6 Server for DNS requests (!) see etc/rtadvd.conf
anchor inet6 proto udp from port dhcpv6-client to port dhcpv6-server {
pass log from fe80::/10 to ff02::1:2
anchor on { enc tun } {
pass log from fe80::/10 to ff02::1:2 keep state (if-bound)
}
}
# Incoming traffic from trusted peers to LAN (VPN:network hack)
anchor from { <knownhosts> <authpf_users> } to { (self:network) (tun)/24 (enc)/64 (enc)/24 } {
anchor ! tagged VPN {
pass log proto { tcp udp } tag LAN
}
anchor tagged VPN {
pass log proto { tcp udp } keep state (if-bound) tag LAN
}
}
# Incoming traffic from trusted peers to LAN_INET
anchor from <knownhosts> ! tagged LAN {
# nested tag check
anchor ! tagged VPN {
pass log proto { tcp udp } tag LAN_INET
}
anchor tagged VPN {
pass log proto { tcp udp } keep state (if-bound) tag LAN_INET
}
}
# ftp for trusted peers
anchor proto tcp to port ftp tagged LAN_INET {
pass log inet \
divert-to $fb1_IPv4 port 8021 \
tag LAN_SELF
pass log inet6 \
divert-to $fb1_IPv6 port 8021 \
tag LAN6_SELF6
}
# and guests
# tftp-proxy (split IPv4/6)
anchor on { lan wlan } proto udp to <relay> port tftp {
pass log inet \
divert-to lo0 port 6969 \
tag LAN_SELF
pass log inet6 \
divert-to lo0 port 6969 \
tag LAN6_SELF6
}
# relayd UDP layer3 NTP redirect
# Allow devices with hardcoded ntp servers to get local time (split IPv4/6)
anchor proto udp to ! <relay> port ntp {
pass in log inet \
rdr-to <relay> port ntp \
tag RELAYD
pass in log inet6 \
rdr-to <relay> port ntp \
tag RELAYD
}
# relayd DNS layer7 DNS-sanitizing proxy
anchor proto udp to <relay> port domain {
anchor ! tagged VPN {
pass log tag LAN_SELF
}
anchor tagged VPN {
pass log keep state (if-bound)
}
}
# relayd TCP layer7 SSH gateway
anchor proto tcp to <relay> port 2222 {
anchor ! tagged VPN {
pass log tag LAN_SELF
}
anchor tagged VPN {
pass log keep state (if-bound)
}
}
# ssh to LAN_SELF
anchor proto tcp to (vether0) port ssh {
anchor ! tagged VPN {
pass log tag LAN_SELF
}
anchor tagged VPN {
pass log keep state (if-bound)
}
}
# relayd HTTP layer7 TLS acceleration
anchor proto tcp to <relay> port https {
anchor ! tagged VPN {
pass log tag LAN_SELF
}
anchor tagged VPN {
pass log keep state (if-bound)
}
}
# www (and Google Play) to LAN_INET
anchor proto tcp to ! (self:network) port { http https 5228 } {
anchor ! tagged VPN {
pass log tag LAN_INET
}
anchor tagged VPN {
pass log keep state (if-bound) tag LAN_INET
}
}
# relayd HTTP layer7 HTTP proxy (split IPv4/6)
anchor proto tcp from <httpfilter> to port http tagged LAN_INET {
pass log inet \
divert-to $rly_IPv4 port 8080 \
tag LAN_SELF
pass log inet6 \
divert-to $rly_IPv6 port 8080 \
tag LAN6_SELF6
}
# relayd HTTP layer7 TLS inspection (split IPv4/6)
anchor proto tcp from <tlsinspect> to port https tagged LAN_INET {
pass log inet \
divert-to lo0 port 8443 \
tag LAN_SELF
pass log inet6 \
divert-to lo0 port 8443 \
tag LAN6_SELF6
}
# Split IPv4/6 from LAN_INET (!) not for proxy (e.g. divert-to, rdr-to)
anchor inet6 tagged LAN_INET {
match tag LAN6_INET6
}
}
# Outbound
anchor out {
# DHCPv6 Server for DNS requests
# pass log inet6 proto udp \
# from { (lan) (wlan) } to fe80::/10 port dhcpv6-client \
# tag SELF6_LAN6
# Open LAN for trusted peers (keep tag)
anchor tagged LAN {
pass log proto { tcp udp }
anchor on { enc tun } {
pass log proto { tcp udp } keep state (if-bound)
}
}
# Open LAN for self, skip VPN (keep tag)
anchor proto { tcp udp } from (self) {
pass log proto { tcp udp }
anchor on { enc tun } {
pass log proto { tcp udp } keep state (if-bound)
}
anchor proto { tcp udp } from port { l2tp isakmp ipsec-nat-t } {
block log
}
}
}
} # end "internal"
# SDN
#anchor "sdn" on { vether tap }
#load anchor "sdn" from "/etc/pf.conf.anchor.sdn"
# VLAN
anchor "vlan" on vlan proto { tcp udp } from (vlan:network) to (vlan:network)
load anchor "vlan" from "/etc/pf.conf.anchor.vlan"
# VPN (IKEv1 and IKEv2)
anchor "vpn/vpn_if" on { egress lan wlan } proto { esp udp }
anchor "vpn/vpn_enc" on enc proto { ipencap udp }
anchor "vpn/vpn_echo" in on { enc tun } proto tcp to port echo
load anchor "vpn" from "/etc/pf.conf.anchor.vpn"
# ICMP and ICMP6
anchor "icmp/ipv4-icmp" inet proto icmp
anchor "icmp/ipv6-icmp" inet6 proto icmp6
load anchor "icmp" from "/etc/pf.conf.anchor.icmp"