# $FreeBSD: src/etc/pf.conf,v 1.2 2004/09/14 01:07:18 mlaier Exp $ # $OpenBSD: pf.conf,v 1.21 2003/09/02 20:38:44 david Exp $ # # See pf.conf(5) and /usr/share/exagmples/pf for syntax and examples. # Required order: options, normalization, queueing, translation, filtering. # Macros and tables may be defined and used anywhere. # Note that translation rules are first match while filter rules are last match. # Macros: define common values, so they can be referenced and changed easily. ext_if="re0" # replace with actual external interface name i.e., dc0 int_if="lo0" # replace with actual internal interface name i.e., dc1 internal_net="127.0.0.1" #external_addr="192.168.0.1" external_addr="51.128.84.201" # 3690 = svn tcp_public_services="{ 22, 25, 80, 443 }" udp_public_services="{ 22, 25, 80, 443 }" tcp_priv_services="{ 20, 21, 110, 8009 }" udp_priv_services="{ 20, 21, 110, 8009 }" # Tables: similar to macros, but more flexible for many addresses. #table { 10.0.0.0/8, !10.1.0.0/16, 192.168.0.0/24, 192.168.1.18 } # Options: tune the behavior of pf, default values are given. set timeout { interval 10, frag 30 } set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 } set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 } set timeout { udp.first 60, udp.single 30, udp.multiple 60 } set timeout { icmp.first 20, icmp.error 10 } set timeout { other.first 60, other.single 30, other.multiple 60 } set timeout { adaptive.start 0, adaptive.end 0 } set limit { states 10000, frags 5000 } set loginterface none set optimization normal set block-policy drop set require-order yes set fingerprints "/etc/pf.os" # Normalization: reassemble fragments and resolve or reduce traffic ambiguities. scrub in all # Translation: specify how addresses are to be mapped or redirected. # nat: packets going out through $ext_if with source address $internal_net will # get translated as coming from the address of $ext_if, a state is created for # such packets, and incoming packets will be redirected to the internal address. nat on $ext_if from $internal_net to any -> ($ext_if) # rdr: packets coming in on $ext_if with destination $external_addr:1234 will # be redirected to 10.1.1.1:5678. A state is created for such packets, and # outgoing packets will be translated as coming from the external address. # rdr outgoing FTP requests to the ftp-proxy #rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021 # spamd-setup puts addresses to be redirected into table . #table persist #no rdr on { lo0, lo1 } from any to any #rdr inet proto tcp from to any port smtp -> 127.0.0.1 port 8025 # Filtering: the implicit first two rules are # pass in all pass out all #pass quick in on pcn0 from any to any pass quick on lo all #pass quick in on pcn0 all pass quick on $int_if all # block all incoming packets but allow ssh, pass all outgoing tcp and udp # connections and keep state, logging blocked packets. block in log all #pass icmp #pass in on $ext_if proto icmp all icmp-type all pass inet proto icmp all icmp-type echorep pass inet proto icmp all icmp-type echoreq pass inet proto icmp all icmp-type unreach pass inet proto icmp all icmp-type timex #pass public services pass in on $ext_if proto tcp from any to $ext_if port $tcp_public_services keep state pass in on $ext_if proto udp from any to $ext_if port $udp_public_services keep state #pass private services pass in on $ext_if proto tcp from to $ext_if port $tcp_priv_services keep state pass in on $ext_if proto udp from to $ext_if port $udp_priv_services keep state pass out on $ext_if proto { tcp, udp } all keep state # pass incoming packets destined to the addresses given in table . #pass in on $ext_if proto { tcp, udp } from any to port 80 keep state # pass incoming ports for ftp-proxy #pass in on $ext_if inet proto tcp from any to $ext_if user proxy keep state table persist file "/usr/local/etc/bruteforce" block in quick proto tcp from to any port ssh