FreeBSD Bugzilla – Attachment 207418 Details for
Bug 240532
pf stops purging IPv6 FIN_WAIT_2 states?
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
pf.conf
pf.conf (text/plain), 2.55 KB, created by
Peter Eriksson
on 2019-09-12 11:23:23 UTC
(
hide
)
Description:
pf.conf
Filename:
MIME Type:
Creator:
Peter Eriksson
Created:
2019-09-12 11:23:23 UTC
Size:
2.55 KB
patch
obsolete
># /etc/pf.conf > >PIF=lagg0 >MIF=igb1 > ># table <fail2ban> persist counters >table <blocked> persist counters file "/etc/pf.blocked" > >table <mgmtnet> const { 10.4.4.0/24, 130.236.16.0/24, 2001:6b0:17:f002::/64 } >table <liunet> const { 130.236.0.0/16, 10.128.0.0/9, 2001:6b0:17::/48 } > >table <dns> const { 130.236.1.9, 130.236.1.10, 130.236.1.11, 2001:6b0:17:f000::9 } >table <foc> const { 130.236.3.67, 130.236.3.219, 2001:6b0:17:f003::67, 2001:6b0:17:f003::219 } >table <fsnet> const { 130.236.8.32/27, 130.236.8.240/29, 2001:6b0:17:2400::/64, 2001:6b0:17:2401::/64 } > >set skip on lo0 > ># drop = blockhole packets, return = send ICMP reply >set block-policy drop > ># Increase the state limits >set limit { states 60000, frags 30000, src-nodes 30000 } > > ># Always allow SSH from LiU-IT @ G (just in case...) >pass in quick proto tcp from <mgmtnet> to any port ssh > ># Allow all FSNET servers (without connection tracking) >pass out quick from any to <fsnet> no state >pass in quick from <fsnet> to any no state > ># Allow everything initated by us >pass out quick from any to any keep state > ># Allow DNS (without connection tracking) >pass out quick from any to <dns> no state >pass in quick from <dns> to any no state > > ># Block everything else not explicitly allowed >block in all > ># Fail2ban >anchor "f2b/*" > ># Blocked hosts from /etc/pf.blocked >block in quick inet from <blocked> to any > > ># Allow our local networks >pass in quick on $MIF from <mgmtnet> to any > ># SFTP / SSH >pass in quick proto tcp from <liunet> to port 22 > ># NFS >pass in quick proto tcp from <liunet> to port 111 >pass in quick proto udp from <liunet> to port 111 >pass in quick proto tcp from <liunet> to port 2049 >pass in quick proto udp from <liunet> to port 2049 > >#Samba >pass in quick proto tcp from <liunet> to port 445 > >#Rsyncd >pass in quick proto tcp from <liunet> to port 873 > > > ># Munin > ># Allow connection to munin from local subnet >pass in quick proto tcp from <fsnet> to any port 4949 > ># Filifjonkan munin >pass in quick proto tcp from <foc> to any port 4949 > ># Allow ICMP & ICMP6 >pass in quick proto icmp >pass in quick proto icmp6 > ># Allow NTP >pass in quick proto udp from any to any port ntp > ># Allow NRPE from Filifjonkan >pass in quick proto tcp from <foc> to any port 5666 > ># Allow Grafana-RRD from foc >pass in quick proto tcp from <foc> to any port 9000 > > ># Return ICMP rejects for certain protocols in order to ># make IPv6 -> IPv4 fallback quicker (VPN split-tunnel problem) >block return quick proto tcp to port 22 >block return quick proto tcp to port 445 >block return quick proto tcp to port 2049
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=207418">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 240532
: 207418