# pf.conf for mur.sial.org running OpenBSD 3.3. # Macros if_pub="dc0" if_pvt="fxp0" if_dmz="fxp1" # ~95% of outgoing ADSL line speed, measured at 272 Kbps 2003-05-31 bw_up="258Kb" # measured at 640 Kbps, not sure whether incoming needs the 95% rule bw_down="640Kb" # easy ref. to main server server="192.168.144.3" airport="192.168.0.100" # Tables # special address blocks (see RFC 3330) table const { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 } table const { 169.254.0.0/16, 192.0.2.0/24, 204.152.64.0/23 } table const { 224.0.0.0/4, 255.255.255.255 } # where incoming SSH can come from table persist {} # where DMZ SSH can go to (non-local addresses) table persist file "/etc/pf/dmz_ssh" table persist {} # dynamic table to throw IP we do not like into. This includes hosts # that abuse services: web robots, spammers, and etc. table persist file "/etc/pf/badhosts" # local networks table const { $if_pvt:network, $if_dmz:network } # Options # Options: tune the behavior of pf, default values are given. #set timeout { interval 30, frag 10 } #set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 } #set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 } #set timeout { udp.first 60, udp.single 30, udp.multiple 60 } #set timeout { icmp.first 20, icmp.error 10 } #set timeout { other.first 60, other.single 30, other.multiple 60 } #set limit { states 10000, frags 5000 } #set loginterface none #set optimization normal set optimization conservative #set block-policy drop #set require-order yes #set loginterface $if_pub # Normalization scrub all fragment reassemble random-id no-df # Queueing # traffic to Internet altq on $if_pub cbq bandwidth $bw_up queue { bulk, chat, fast } queue bulk bandwidth 80% priority 0 cbq(default borrow red) queue chat bandwidth 10% priority 4 cbq(red) queue fast bandwidth 10% priority 7 cbq(borrow red) # traffic from Internet altq on $if_dmz cbq bandwidth 100Mb queue { std_dmz } altq on $if_pvt cbq bandwidth 100Mb queue { std_pvt } # UNTEST can two different interfaces share a queue? # yes, creates two different queue trees for each interface internally queue std_dmz { internal_dmz, outgoing } queue std_pvt { internal_pvt, outgoing } queue internal_dmz cbq(default) queue internal_pvt cbq(default) queue outgoing cbq bandwidth $bw_down { in_bulk, in_chat, in_fast } queue in_bulk bandwidth 50% priority 0 cbq(borrow red) { in_bulk_std, in_bulk_smtp, in_bulk_ssh } queue in_bulk_std bandwidth 40% cbq(borrow red) queue in_bulk_smtp priority 2 bandwidth 10% cbq(borrow red) queue in_bulk_ssh priority 3 bandwidth 50% cbq(borrow red) queue in_chat bandwidth 25% priority 4 queue in_fast bandwidth 25% priority 7 # Translation # internal traffic needs to be set to the Internet address nat on $if_pub inet from ! ($if_pub) to any -> ($if_pub) # SSH, plus alternates if in organization blocks outgoing 22, but maybe # allows other ports out rdr on $if_pub inet proto tcp from any to ($if_pub) port 22 -> $server port 22 #rdr on $if_pub inet proto tcp from any to ($if_pub) port 23 -> $server port 22 #rdr on $if_pub inet proto tcp from any to ($if_pub) port 2222 -> $server port 22 # email rdr on $if_pub inet proto tcp from any to ($if_pub) port 25 -> $server port 25 rdr on $if_pub inet proto tcp from any to ($if_pub) port 587 -> $server port 587 # web services rdr on $if_pub inet proto tcp from any to ($if_pub) port 80 -> $server port 80 rdr on $if_pub inet proto tcp from any to ($if_pub) port 443 -> $server port 443 # pastebot rdr on $if_pub inet proto tcp from any to ($if_pub) port 8888 -> $server port 8888 rdr on $if_dmz inet proto tcp from any to ! $server port 80 -> $server port 8000 # allow fiddling with DMZ redirections nat-anchor authpf rdr-anchor authpf binat-anchor authpf rdr-anchor dmz on $if_dmz # Filtering pass quick on lo0 all pass quick on fxp0 inet6 all block log quick from no-route block return log quick to no-route # illegal TCP flags #block log quick proto tcp flags R/R label badtcp #block log quick proto tcp flags /S label badtcp #block log quick proto tcp flags A/A label badtcp # public interface rules block return log on $if_pub queue bulk label "$if:default-block" #block in log quick on $if_pub proto tcp from any to any flags FUP/FUP label nmapfpr #block in log quick on $if_pub proto tcp from any to any flags SF/SFRA label nmapfpr #block in log quick on $if_pub proto tcp from any to any flags /SFRA label nmapfpr # various rules to keep illegal stuff from coming in or escaping to Internet block return out log quick on $if_pub inet from !($if_pub) queue bulk label spoof block return out log quick on $if_pub to { , , } queue bulk label "$if:bad-dest-out" block in log quick on $if_pub from { , , , } label "$if:bad-src-in" pass in on $if_pub inet proto icmp all icmp-type 8 code 0 keep state pass in on $if_pub proto tcp from to any port 22 keep state queue(in_bulk_ssh, in_chat) pass in on $if_pub proto tcp from any to any port { 25, 587 } queue(in_bulk_smtp, in_fast) pass in on $if_pub proto tcp from any to any port { 80, 443, 8888 } keep state queue(in_bulk_std, in_fast) pass out on $if_pub inet proto icmp all icmp-type 8 code 0 keep state queue bulk pass out on $if_pub proto udp all keep state queue bulk pass out on $if_pub proto tcp all modulate state flags S/SAFR queue(bulk, fast) pass out on $if_pub proto tcp from any to any port 22 modulate state flags S/SAFR queue(bulk, chat) pass out on $if_pub proto tcp from any to any port 6667 modulate state flags S/SAFR queue(chat, fast) pass out on $if_pub proto udp from any to any port { 53, 123 } keep state queue chat # Private interface rules #pass in log on $if_pvt all label pvtpass #pass out log on $if_pvt all label pvtpass pass out on $if_pvt proto udp to ! keep state queue(in_bulk_std) pass out on $if_pvt proto tcp to ! keep state queue(in_bulk_std, in_fast) pass out on $if_pvt proto tcp to ! port 22 keep state queue(in_bulk_ssh, in_chat) pass out on $if_pvt proto tcp to ! port { 25, 587 } keep state queue(in_bulk_smtp, in_fast) pass out on $if_pvt proto tcp to ! port 6667 keep state queue(in_chat, in_fast) pass out on $if_pvt proto tcp to ! port { 53, 123 } keep state queue(in_chat) # DMZ interface rules block return log on $if_dmz all label "$if:default-block" block return out log quick on $if_dmz to { !$if_dmz:network, , } label "$if:bad-dest-out" block return in log quick on $if_dmz from { !$if_dmz:network, , , } label "$if:bad-src-in" pass on $if_dmz inet proto icmp all icmp-type 8 code 0 keep state pass out on $if_dmz proto tcp to $if_dmz:network port 22 keep state pass in on $if_dmz proto udp from $airport to $server port 514 keep state pass in on $if_dmz proto { tcp, udp } to $server port { 53 } keep state pass in on $if_dmz proto udp to $server port 123 keep state pass in on $if_dmz proto tcp to $server port { 25, 80, 443, 587 } keep state pass in on $if_dmz proto tcp to { $if_dmz, $if_pvt:network } port 22 keep state pass in on $if_dmz proto tcp to port 22 modulate state flags S/SAFR queue(in_bulk_ssh, in_chat) pass in on $if_dmz proto udp to port 123 keep state queue(in_chat, in_fast) pass in on $if_dmz proto tcp to $server port 8000 modulate state flags S/SAFR pass in on $if_dmz proto tcp to cvs.sourceforge.net port 2401 modulate state flags S/SAFR queue(in_bulk_std, in_fast) # allow me to fiddle with the DMZ rules anchor dmz on $if_dmz anchor authpf