# $OpenBSD: pf.conf,v 1.21 2003/09/02 20:38:44 david Exp $ # # See pf.conf(5) and /usr/share/pf for syntax and examples. # Required order: options, normalization, queueing, translation, filtering. # Macros and tables may be defined and used anywhere. # Note that translation rules are first match while filter rules are last match. # # ######################################### # *** START MACRO & TABLE DEFINITIONS *** # # (Device)names of network interfaces loc_if = "lo0" int_if = "xl0" ext_if = "rl0" # IP addresses of network interfaces loc_addr = "127.0.0.1" int_addr = "192.168.0.3" ext_addr = "132.175.118.161" # CIDR address spaces of our networks loc_net = "127.0.0.1/32" int_net = "192.168.0.0/24" ext_net = "132.175.118.161/32" # Port intervals, icmp-types, etc ftp_ports = "{ 50042 >< 52042 }" icmp_types = "echoreq" # Stateful packet filtering options macros for clarity pf rules sf_udp = "keep state" sf_icmp = "keep state" sf_tcp = "flags S/SA modulate state" # Restrictive access tables (for POP3 & syslog) table { 180.126.21.182, 243.73.176.15, 243.73.158.228 } table { 132.175.117.104 } # # *** END MACRO & TABLE DEFINITIONS *** ####################################### ################################################### # *** START OPTIONS, SCRUBBING & QUEUEING RULES *** # # Options: tune the behavior of pf, default values are given. #set timeout { interval 10, frag 30 } #set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 } #set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 } #set timeout { udp.first 60, udp.single 30, udp.multiple 60 } #set timeout { icmp.first 20, icmp.error 10 } #set timeout { other.first 60, other.single 30, other.multiple 60 } #set timeout { adaptive.start 0, adaptive.end 0 } #set limit { states 10000, frags 5000 } #set loginterface none #set optimization normal #set block-policy drop #set require-order yes #set fingerprints "/etc/pf.os" # Options that suit us better than the defaults set block-policy return # Normalization: reassemble fragments and resolve or reduce traffic ambiguities. scrub in all # Queueing: rule-based bandwidth control. #altq on $ext_if bandwidth 15Kb cbq queue { dflt, developers, marketing } #queue dflt bandwidth 5% cbq(default) #queue developers bandwidth 80% #queue marketing bandwidth 15% # # *** END OPTIONS, SCRUBBING & QUEUEING RULES *** ################################################# ####################################### # *** START NAT & REDIRECTION RULES *** # # NAT: Do some NAT favors for the internal net (-: nat on $ext_if from $int_net to any -> $ext_addr # RDR: Redirect eDonkey2000/Overnet and WinMX traffic to my laptop rdr on $ext_if proto tcp to $ext_if port 4662 -> 192.168.0.110 port 4662 # eDonkey rdr on $ext_if proto udp to $ext_if port 4665 -> 192.168.0.110 port 4665 # eDonkey rdr on $ext_if proto tcp to $ext_if port 6699 -> 192.168.0.110 port 6699 # WinXM rdr on $ext_if proto udp to $ext_if port 6257 -> 192.168.0.110 port 6257 # WinXM # RDR: Redirect outgoing FTP requests to the ftp-proxy rdr on $int_if proto tcp from any to any port ftp -> $loc_if port 8021 # RDR: spamd-setup puts addresses to be redirected into table . table persist no rdr on $loc_if all rdr inet proto tcp from to any port smtp -> $loc_if port 8025 # # *** END NAT & REDIRECTION RULES *** ###################################### ######################################### # *** START (STATEFUL) FIREWALL RULES *** # # External interface: anti-spoofing measures; with logging block drop in quick log on $ext_if from 127.0.0.1/8 to any block drop in quick log on $ext_if from 172.16.0.0/12 to any block drop in quick log on $ext_if from 192.168.0.0/16 to any block drop in quick log on $ext_if from $ext_addr to any # External interface: drop ASAP Windows SMB & MS-SQL related packets; no logging block drop in quick on $ext_if proto { tcp, udp } to port { 135, 137, 138, 139, 1433 } block drop in quick on $ext_if proto { tcp, udp } from port { 135, 137, 138, 139, 1433 } # External interface: drop UDP port 4669 crap without logging block drop in quick on $ext_if proto udp to port 4669 # External inferface: drop ASAP spammers; no logging block drop in quick on $ext_if from 202.84.15.0/24 to any # Hongkong.com crap # External interface: drop crap we don't want to see in our logs block drop in quick on $ext_if to 0.0.0.0/32 block drop in quick on $ext_if from 0.0.0.0/32 block drop in quick on $ext_if to 224.0.0.0/4 block drop out quick on $ext_if to 224.0.0.0/4 block drop in quick on $ext_if to 255.255.255.255/32 block drop in quick on $ext_if from 255.255.255.255/32 # Local interface: TCP/UDP/ICMP incoming/outgoing connection pass in quick on $loc_if all pass out quick on $loc_if all # Internal interface: TCP/UDP/ICMP incoming/outgoing connection pass in quick on $int_if all pass out quick on $int_if all # External interface: incoming eDonkey2000/Overnet and WinMX traffic to my laptop pass in quick on $ext_if proto tcp to 192.168.0.110 port 4662 # eDonkey pass in quick on $ext_if proto udp to 192.168.0.110 port 4665 # eDonkey pass in quick on $ext_if proto tcp to 192.168.0.110 port 6699 # WinXM pass in quick on $ext_if proto udp to 192.168.0.110 port 6257 # WinXM # External interface: UDP incoming connections pass in quick on $ext_if proto udp to $ext_if port 53 $sf_udp pass in quick on $ext_if proto udp from to $ext_if port 514 $sf_udp # Externel interface: TCP incoming connections pass in quick on $ext_if proto tcp to $ext_if port 22 $sf_tcp pass in quick on $ext_if proto tcp to $ext_if port 25 $sf_tcp pass in quick on $ext_if proto tcp to $ext_if port 80 $sf_tcp pass in quick on $ext_if proto tcp from to $ext_if port 110 $sf_tcp pass in quick on $ext_if proto tcp to $ext_if port 113 $sf_tcp pass in quick on $ext_if proto tcp to $loc_if port 8025 $sf_tcp pass in quick on $ext_if proto tcp from any port 20 to $ext_if port $ftp_ports user proxy $sf_tcp # Externel interface: ICMP incoming connections pass in quick on $ext_if proto icmp to $ext_if icmp-type $icmp_types $sf_icmp # Externel interface: TCP outgoing connections pass out quick on $ext_if proto tcp all $sf_tcp pass out quick on $ext_if proto { udp, icmp } all $sf_udp # All interfaces: block everything by default block log quick all # # *** END (STATEFUL) FIREWALL RULES *** ####################################### ##################################################### # *** START QUEUE ASSIGNMENTS FOR OUTGOING TRAFIC *** # # Assign packets to a queue. #pass out on $ext_if from 192.168.0.0/24 to any keep state queue developers #pass out on $ext_if from 192.168.1.0/24 to any keep state queue marketing # # *** END QUEUE ASSIGNMENTS FOR OUTGOING TRAFIC *** ################################################### #