FreeBSD Bugzilla – Attachment 162668 Details for
Bug 204186
Panic in pf_normalize_ip (netpfil/pf/pf_norm.c:1349)
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
pf.conf
pf.conf (text/plain), 2.55 KB, created by
ziyanm
on 2015-11-01 07:12:03 UTC
(
hide
)
Description:
pf.conf
Filename:
MIME Type:
Creator:
ziyanm
Created:
2015-11-01 07:12:03 UTC
Size:
2.55 KB
patch
obsolete
># $FreeBSD: src/share/examples/pf/faq-example1,v 1.2.2.1.4.1 2010/06/14 02:09:06 kensmith Exp $ > ># To add a new service you need to add an rdr rule for the apropriate port. ># See the www and mail examples below. Check the rules with 'pfctl -gnvf /etc/pf.conf' first! > ># macros >ext_if="igb3" >#int_if="igb0" >int_if="{ igb0, igb3.19 }" >jailnet="127.40.0.0/16" >table <seranet> const { 10.40.0.0/16, 172.16.0.0/16, 111.222.40.0/26, 111.222.42.0/27 } > ># options >#set debug misc >#set state-policy if-bound >set block-policy return >set skip on { lo0, lo1 } >set loginterface $ext_if > ># Sanitise >scrub on $ext_if no-df reassemble tcp >scrub in on $int_if no-df fragment crop > ># Port redirection for public services >rdr on $ext_if proto tcp to $ext_if port { http, https } -> nginx.local >rdr on $ext_if proto tcp to $ext_if port { imap, imaps } -> dovecot.local >rdr on $ext_if proto tcp to $ext_if port { smtp, submission } -> postfix.local >rdr on $ext_if proto tcp to port ssh -> debian >#redmine test instance >rdr pass on $int_if proto tcp to port 3000 -> 127.40.18.3 > ># NAT for jail internet access >nat on $ext_if from $jailnet -> $ext_if:0 > ># Filter rules >antispoof quick for $ext_if > ># Outgoing traffic >pass out quick on $int_if to <seranet> >pass out quick on $int_if proto udp to port { bootpc, mdns } >#block out log quick on $ext_if to { <seranet> no-route } >pass out quick on $ext_if proto { udp, tcp } from self modulate state >pass out quick on $ext_if inet6 proto { udp, tcp } from self > ># Incoming traffic >block drop in log quick on $ext_if from { urpf-failed no-route } > ># ssh brute-force prevention >table <bruteforce> persist >block drop log quick from <bruteforce> > ># Publicly available services >pass in quick proto tcp to (self) port { 222, ssh } synproxy state \ > (source-track rule, max-src-conn 3, max-src-conn-rate 5/30, overload <bruteforce> flush global) >pass in quick proto tcp to (self) port { http, https, imap, imaps, smtp, submission } modulate state > ># Private services only available on-campus >pass in quick on $int_if proto { tcp, udp } from <seranet> to port { domain, nfsd, sunrpc } >pass in quick on $int_if proto tcp from <seranet> to port { ldap, ldaps, postgresql } >pass in quick on $int_if proto udp from <seranet> to port { ntp, radius } > ># Broadcast and multicast traffic >pass in quick on $int_if proto udp to port { bootps, tftp } >pass in quick on $int_if proto { tcp, udp } to 224.0.0.251 port mdns > >#ICMP(6) >pass quick inet proto icmp all icmp-type { unreach, echoreq } >pass quick inet proto igmp all allow-opts >pass quick on $ext_if inet6 proto icmp6 all > >block return log #(user) >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=162668">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 204186
:
162667
| 162668