Attachment 246120 Details for Bug 274915 – pf.conf that triggers it

pf.conf that triggers it

pf.conf (text/plain), 57.80 KB, created by Dave Cottlehuber on 2023-11-04 18:01:27 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Dave Cottlehuber

Created: 2023-11-04 18:01:27 UTC

Size: 57.80 KB

patch

obsolete

>
>
>
><!DOCTYPE html>
><html>
><head>
> <title>dpaste/e0Yar (Python)</title>
> <meta name="viewport" content="width=device-width, initial-scale=1.0"/>
> <meta name="robots" content="noindex, nofollow"/>
> <style type="text/css">html,body,p{margin:0;padding:0;border:0;font-size:100%;vertical-align:baseline}body{line-height:1}body{font-family:"Avenir Next","Helvetica Neue",Helvetica,Arial;font-weight:400;background-color:#222829}body[code-page]{background-color:#fff}body[text-page]{background-color:#fff}body[data-platform=win] .platform-mac{display:none}body[data-platform=mac] .platform-win{display:none}.btn{padding:6px 0;position:relative;display:inline-block;color:#fff;background-color:#4a90e2;border:1px solid #33639c;border-radius:3px;font-size:13px;font-weight:500;text-decoration:none;text-align:center;cursor:pointer}.btn .sep{width:0;border-right:2px dotted #fff;margin:0 6px 0 4px}.btn:hover{text-decoration:none;background-color:#3483de}.btn:active{top:1px}.confirm-modal{background-color:#fff9a8;color:#6d6d6d;overflow:hidden;max-height:0;transition:max-height .15s ease-in}.confirm-modal a:link,.confirm-modal a:visited{color:#4a90e2;text-decoration:underline;text-decoration-color:#cee1f7}.confirm-modal a:hover,.confirm-modal a:active{color:#72b4e4;text-decoration:underline}.confirm-modal form{padding:20px 30px 20px 30px;display:block}.confirm-modal .btn{padding:6px 15px;margin:0 10px}.confirm-modal .no{font-size:13px}.confirm-modal:target{max-height:80px}header{padding:0 30px 0 30px;height:60px;display:flex;justify-content:space-between;align-items:center;color:#fff;background-color:#4a90e2}header.sub{height:45px}header a{display:inline-block;color:#fff;text-decoration:none;text-align:center;font-weight:600}header a:hover{text-decoration:underline}header a.home{font-size:28px;font-weight:700}header a.nav-link{width:80px}header .btn{width:120px;margin-left:10px}header h1{position:relative;font-size:24px;font-weight:600}header h1 strong{font-size:28px;font-weight:700}header h2{font-size:16px;font-weight:600}ul#snippetOptions{padding:0 30px 0 30px;margin:0;height:40px;background-color:#f9f9f9;color:#bababa;font-size:13px;font-weight:400;display:flex;align-items:center}ul#snippetOptions a:link,ul#snippetOptions a:visited{color:#bababa;text-decoration:underline}ul#snippetOptions a:hover,ul#snippetOptions a:active{color:#72b4e4;text-decoration:underline}ul#snippetOptions strong{font-weight:600}ul#snippetOptions li{margin:0;padding:0 7px;list-style:none}ul#snippetOptions li:first-child{padding-left:0}ul#snippetOptions li:last-child{padding-right:0}ul#snippetOptions li.sep{width:0;border-right:2px dotted #bababa;margin:0 6px 0 4px;height:17px;margin:0 2px 0 1px;padding:0}#copyToClipboardField{position:absolute;left:-9999px}#copyToClipboard svg{height:30px;position:absolute;top:-8px;right:-40px}#copyToClipboard svg:active{top:-7px}.snippet-message{padding:20px 30px 0 30px;padding:8px 20px;max-width:660px;color:#fff;background-color:#f5a623;font-size:14px;font-weight:500}#copySnippetSource{width:0;position:absolute;left:-9999px}@media only screen and (max-width: 700px){.option-type,.sep,.option-edit,.option-slim{display:none}#copyHeadline{display:none}}#edit{display:none}.snippet-form{box-sizing:border-box;background-color:#fff}@media only screen and (min-width: 700px){.snippet-form{padding:15px 30px;display:grid;grid-template:"a b c d" "e e e e";grid-template-columns:1fr 1fr 1fr 10fr;align-items:center}.snippet-form .form-textarea{height:70vh;display:flex;flex-direction:column;align-items:stretch;border-top:1px solid #ededed;margin-top:15px;padding-top:15px}.snippet-form .form-action{justify-self:end}}@media only screen and (max-width: 699px){.snippet-form{padding:10px;display:grid;justify-content:space-between;grid-template:"a b" "c c" "e e" "d d";align-items:center}.snippet-form .form-expire select{margin-right:0}.snippet-form .form-action{justify-self:start}.snippet-form p{padding:4px 0}}.snippet-form .form-lexer{grid-area:a}.snippet-form .form-expire{grid-area:b}.snippet-form .form-rtl{grid-area:c;white-space:nowrap}.snippet-form .form-textarea{grid-area:e}.snippet-form .form-action{grid-area:d}.snippet-form .form-action .btn{width:auto;padding:6px 20px}.snippet-form label{display:none;font-size:13px}.snippet-form .form-rtl label{display:inline}.snippet-form select{-moz-appearance:none;-webkit-appearance:none;padding:5px 7px;margin-right:15px;min-width:160px;color:#858585;background-color:#fff;border:1px solid #ddd;border-radius:3px;font-family:"Avenir Next","Helvetica Neue",Helvetica,Arial;font-weight:400;font-size:14px;cursor:pointer;background-image:linear-gradient(45deg, transparent 50%, #4A90E2 50%),linear-gradient(135deg, #4A90E2 50%, transparent 50%);background-position:calc(100% - 18px) 13px,calc(100% - 13px) 13px,calc(100% - 2.5em) .5em;background-size:5px 5px,5px 5px,3px 1.5em;background-repeat:no-repeat}.snippet-form select:hover{border-color:#c4c4c4}.snippet-form textarea{padding:20px;color:#7d7d7d;font-family:"SF Mono","Fira Mono",Monaco,Menlo,Consolas,monospace;font-size:12px;line-height:17px;box-sizing:border-box;width:100%;height:100%;border:1px solid #ededed}.snippet-form textarea:active,.snippet-form textarea:focus{border-color:#c4c4c4}.snippet-text{background-color:#fff}article{padding:30px 30px 40px 30px;font-size:16px;font-weight:400;line-height:24px;word-break:break-word;color:#7d7d7d;max-width:600px}article a:link,article a:visited{color:#4a90e2;text-decoration:underline;text-decoration-color:#cee1f7}article a:hover,article a:active{color:#72b4e4;text-decoration:underline}article .first-item{margin-top:0}article h1,article h2,article h3,article h4,article h5,article h6{font-weight:400;line-height:1.3em}article p{margin:10px 0 20px 0}article strong,article b{font-weight:500}article table{margin:20px 0;border:1px solid #ededed;border-collapse:collapse}article table td,article table th{border:1px solid #ededed;padding:5px 10px}article hr{border:0;height:1px;background-color:#d4d4d4}article pre{font-family:"SF Mono","Fira Mono",Monaco,Menlo,Consolas,monospace;font-size:13px;font-weight:300;background-color:#f8f8f8;padding:10px}article blockquote{font-style:italic}article dl p,article ul p,article ol p,article table p{margin:0}.snippet-text article h1,.snippet-text article h2,.snippet-text article h3,.snippet-text article h4,.snippet-text article h5,.snippet-text article h6{padding-bottom:5px;border-bottom:1px solid #ededed}.snippet-text article .admonition{padding:10px 10px;margin:20px 0;background-color:#f9f9f9}.snippet-text article .admonition .admonition-title{margin:0;font-weight:600}.snippet-text article .admonition p{margin:20px 0 0 0}.snippet-text article .problematic{background-color:#fff9a8}.snippet-text article .system-message{background-color:#fff9a8;border:2px dashed #ffee0f;padding:10px 20px;margin:20px 0}.snippet-text article .system-message p{margin:10px 0}.snippet-diff{color:#dadad4;background-color:#222829}.snippet-diff h2{margin:0;padding:20px 30px 20px 30px;color:#dadad4;font-weight:500;font-size:14px}.snippet-diff .snippet-code{padding:10px 30px 10px 30px;background-color:#2a3335;white-space:pre;font-size:12px}.snippet-code{padding:20px 30px 20px 30px;font-family:"SF Mono","Fira Mono",Monaco,Menlo,Consolas,monospace;font-size:13px;font-weight:300;line-height:20px;color:#dadad4;background-color:#222829}.snippet-code.wordwrap{overflow:auto}.snippet-code.wordwrap li{white-space:pre-wrap !important}.snippet-code ol{margin:0;padding:0;position:relative;list-style:none;counter-reset:lineNumberCounter}.snippet-code ol li{margin:0;padding:0;white-space:pre;padding-left:50px}.snippet-code ol li:before{color:#636363;counter-increment:lineNumberCounter;content:counter(lineNumberCounter);text-align:right;width:30px;position:absolute;display:inline-block;left:0px}.snippet-code ol li.marked{background-color:rgba(255,255,255,.05)}.snippet-code ol li.marked:before{color:gold}.snippet-code .gd{background-color:#473335;color:#f8f8f2;display:inline-block;width:100%;margin:0 -10px;padding:0 10px}.snippet-code .gi{background-color:#2d4a39;color:#f8f8f2;display:inline-block;width:100%;margin:0 -10px;padding:0 10px}.snippet-code .hll{background-color:#49483e}.snippet-code .c{color:#75715e}.snippet-code .err{color:#960050;background-color:#1e0010}.snippet-code .k{color:#66d9ef}.snippet-code .l{color:#ae81ff}.snippet-code .n{color:#f8f8f2}.snippet-code .o{color:#f92672}.snippet-code .p{color:#f8f8f2}.snippet-code .cm{color:#75715e}.snippet-code .cp{color:#75715e}.snippet-code .c1{color:#75715e}.snippet-code .cs{color:#75715e}.snippet-code .ge{font-style:italic}.snippet-code .gs{font-weight:bold}.snippet-code .kc{color:#66d9ef}.snippet-code .kd{color:#66d9ef}.snippet-code .kn{color:#f92672}.snippet-code .kp{color:#66d9ef}.snippet-code .kr{color:#66d9ef}.snippet-code .kt{color:#66d9ef}.snippet-code .ld{color:#e6db74}.snippet-code .m{color:#ae81ff}.snippet-code .s{color:#e6db74}.snippet-code .na{color:#a6e22e}.snippet-code .nb{color:#f8f8f2}.snippet-code .nc{color:#a6e22e}.snippet-code .no{color:#66d9ef}.snippet-code .nd{color:#a6e22e}.snippet-code .ni{color:#f8f8f2}.snippet-code .ne{color:#a6e22e}.snippet-code .nf{color:#a6e22e}.snippet-code .nl{color:#f8f8f2}.snippet-code .nn{color:#f8f8f2}.snippet-code .nx{color:#a6e22e}.snippet-code .py{color:#f8f8f2}.snippet-code .nt{color:#f92672}.snippet-code .nv{color:#f8f8f2}.snippet-code .ow{color:#f92672}.snippet-code .w{color:#f8f8f2}.snippet-code .mf{color:#ae81ff}.snippet-code .mh{color:#ae81ff}.snippet-code .mi{color:#ae81ff}.snippet-code .mo{color:#ae81ff}.snippet-code .sb{color:#e6db74}.snippet-code .sc{color:#e6db74}.snippet-code .sd{color:#e6db74}.snippet-code .s2{color:#e6db74}.snippet-code .se{color:#ae81ff}.snippet-code .sh{color:#e6db74}.snippet-code .si{color:#e6db74}.snippet-code .sx{color:#e6db74}.snippet-code .sr{color:#e6db74}.snippet-code .s1{color:#e6db74}.snippet-code .ss{color:#e6db74}.snippet-code .bp{color:#f8f8f2}.snippet-code .vc{color:#f8f8f2}.snippet-code .vg{color:#f8f8f2}.snippet-code .vi{color:#f8f8f2}.snippet-code .il{color:#ae81ff}.history-header{padding:15px 30px 15px 30px;margin:0;color:#7d7d7d;font-size:14px;font-weight:400;background-color:#ededed}.history-header a:link,.history-header a:visited{font-weight:500;color:#7d7d7d;text-decoration:underline}.history-header a:hover,.history-header a:active{color:#72b4e4;text-decoration:underline}.history-header .sep{width:0;border-right:2px dotted #bababa;margin:0 12px 0 10px;height:17px;padding:0}.history-empty{padding:40px 30px 40px 30px;color:#7d7d7d}
></style>
> 
> 
> <style type="text/css">
> header{ background: linear-gradient(to right, #2a3457, #26304f); }
> .feature-message { margin: 10px 30px 39px 30px; color: #8c8c8c; font-size: 14px; line-height: 22px; }
> .btn { background-color: #232d48; }
> .btn:hover { background-color: #1A2035; }
> </style>
> 
></head>
><body >
>
>
><header>
> <h1>
> <div id="copyHeadline">
> <a href="https://dpaste.org/e0Yar">https://dpaste.org/e0Yar</a>
> <a href="#" id="copyToClipboard" title="Copy URL to clipboard">
> <svg fill="#FFF" viewBox="0 0 100 100" xmlns="http://www.w3.org/2000/svg">
> <path d="M40.965 6c5.137 0 9.273 3.988 9.8 9h1.188c3.14 0 5.809 2.125 6.68 5h2.309c4.39 0 7.988 3.766 7.988 8.188V55h15.98-.004a1.99 1.99 0 0 1 1.574.652c.356.39.543.91.516 1.441A1.995 1.995 0 0 1 84.906 59h-15.98v26.812c0 4.422-3.598 8.188-7.988 8.188h-39.95C16.598 94 13 90.234 13 85.812V28.186C13 23.765 16.598 20 20.99 20h2.308c.871-2.875 3.54-5 6.68-5h1.187c.528-5.012 4.66-9 9.801-9zm0 4a5.968 5.968 0 0 0-5.992 6v1a2 2 0 0 1-2 2h-2.996c-1.696 0-2.996 1.305-2.996 3s1.3 3 2.996 3H51.95c1.695 0 2.996-1.305 2.996-3s-1.301-3-2.996-3h-2.996a1.998 1.998 0 0 1-1.996-2v-1c0-3.336-2.66-6-5.993-6zm19.973 14h-2.309c-.87 2.875-3.539 5-6.68 5H29.978c-3.14 0-5.809-2.125-6.68-5h-2.309c-1.968 0-3.996 2.05-3.996 4.188v57.624c0 2.137 2.024 4.188 3.996 4.188h39.95c1.968 0 3.996-2.05 3.996-4.188v-26.81H46.176l6.117 5.5c.828.742.894 2.015.156 2.843a2.01 2.01 0 0 1-2.84.157l-9.988-9a2 2 0 0 1 0-3l9.988-9a2.005 2.005 0 0 1 1.465-.532 2.002 2.002 0 0 1 1.219 3.532L46.175 55h18.758V28.189c0-2.137-2.027-4.188-3.996-4.188z"/>
> </svg>
> </a>
> <input type="text" id="copyToClipboardField" value="https://dpaste.org/e0Yar"/>
> </div>
></h1>
> <nav>
> <a class="nav-link" href="/about/">About</a>
> <a class="nav-link" href="/history/">History</a>
> <a class="btn" href="/">New snippet</a>
> </nav>
></header>
>
>
>
> <ul id="snippetOptions">
> <li class="option-type">
> Python
> 
> Expires in: 23Â hours, 59Â minutes
> 
> </li>
> <li class="sep"></li>
> <li class="option-delete">
> <a href="#delete">Delete Now</a>
> </li>
> 
> <li class="option-raw"><a href="/e0Yar/raw">Raw</a></li>
> 
> <li class="option-slim"><a href="/e0Yar/slim">Slim</a></li>
> <textarea id="copySnippetSource"># /etc/pf.conf
># macros
>protocols = &quot;{ tcp, udp }&quot;
>blocked_ports = &quot;{ syslog, epmd, amqp, couchdb }&quot;
>tcp_services = &quot;{ domain, http, rsync, 1935, https, smtp, 2200,
>couchdb, amqp, 1973, 2008, 2010, 4000, 5000, 5050, 5900, 6600, 7000, 8000, 8008, 9000, bgp,
>1179, 25565, 9333, 9334, 9335, 9993, 42853, 2049, 10090 }&quot;
>udp_services = &quot;{ domain, 9000, 9993, 42853, 21027, 3478, 30000, 26000 7777,7778,7779, 54321, vxlan }&quot;
>plex_services	= &quot;{ 4444, 32400, 1900, 3005, 5353, 8324, 32469, 32410, 32412, 32413, 32414 }&quot;
># https://help.ubnt.com/hc/en-us/articles/218506997-UniFi-Ports-Used
>unifi_services	= &quot;{ 1900, 8443, 10001, 3478, 8080 }&quot;
>koan_services	= &quot;{ http, https, amqp, 4000, 4003, 8000 }&quot;
>martians = &quot;{ 127.0.0.0/8, 192.168.0.0/16, \
> 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
> 0.0.0.0/8 }&quot;
>icmp4_types	= &quot;{ echoreq, unreach }&quot;
>icmp6_types	= &quot;{ echoreq, unreach, neighbradv, neighbrsol, routeradv, routersol }&quot;
>
>zerotier	= &quot;{ 9990:9999, 42853 }&quot;
>dhcp		= &quot;{ bootpc, bootps, tftp, dhcpv6-client, dhcpv6-server }&quot;
>
># interfaces
>extl_if = &quot;igb0&quot;
># for bastille not to complain
>ext_if = $extl_if
>intl_if = &quot;lo0&quot;
>jail_if = &quot;lo1&quot;
>hive_if = &quot;vm-public&quot;
>koan_if = &quot;ztagim5o45dhe4c&quot;
>zero_if = &quot;zt1flo98dm17np8&quot;
>bridge = &quot;{ tap0, tap1, igb0, vm-public }&quot;
>
># networks
>internet = $extl_if:network
>intl_net = $intl_if:network
>jail_net = $jail_if:network
>hive_net = $hive_if:network
>zero_net = $zero_if:network
>zero_net = &quot;{ fc7b:c4d6:6be2:8e50:6c98::/40 }&quot;
>koan_net = &quot;{ fca2:927d:4de2:8e50:6c98::/40 }&quot;
>local_net= &quot;172.16.0.0/16&quot;
>hive_net = &quot;172.16.0.0/16&quot;
>
># limits
># bigger state tables help erlang receive sockets faster
># https://blog.tyk.nu/blog/fun-with-freebsd-listen-queue-overflow/
>set limit { states 200000, frags 40000, src-nodes 40000 }
>set timeout { adaptive.start 180000, adaptive.end 200000 }
>
># trusted nets and devices
>set skip on { $intl_if, $jail_if }
>set skip on { $zero_if, $koan_if }
>
>
># tables
>table &lt;badhosts&gt; persist file &quot;/etc/pf.blocklist&quot;
>
># clean packets are happy packets
>scrub in on $extl_if all fragment reassemble
># scrub all reassemble tcp -- breaks VMs
># scrub log all reassemble tcp
>
># jails are allowed outbound connections but not inbound
># these should be set up explicitly using spiped or similar
># nat on $extl_if inet from !($extl_if) -&gt; ($extl_if:0)
>nat on $extl_if inet from $jail_net -&gt; ($extl_if:0)
># bastille0
># nat on $extl_if from &lt;jails&gt; to any -&gt; ($extl_if:0)
># enable jail redirection
>table &lt;jails&gt; persist file &quot;/etc/pf.jails&quot;
>rdr-anchor &quot;jails/*&quot;
>
># minecraft
>#rdr on $extl_if proto { tcp } from any to $extl_if port 25565 -&gt; 100.64.0.153 port 25565
>#rdr on $extl_if proto { tcp } from any to $extl_if port 8008 -&gt; 100.64.0.110 port 8008
>
># block by default
># block in log all
>
># ipv6 tunnel
>pass in quick on $extl_if proto icmp6 all
>pass out quick on $extl_if inet proto {udp, tcp} from any to any keep state
>pass out quick on $extl_if inet6 proto {udp, tcp} from any to any keep state
># dhcp etc for bridged bhyve instances
>pass in quick on $extl_if proto {tcp, udp} from any port $dhcp to any port $dhcp
>pass out quick on $extl_if proto {tcp, udp} from any port $dhcp to any port $dhcp
>
># permit zerotier and ICMP everywhere
>pass in quick on $extl_if proto {udp, tcp} from any to any port $zerotier
>pass in on $extl_if inet proto icmp from any to any
># icmp-type $icmp_types
>pass in on $bridge inet proto icmp from any to any icmp-type $icmp4_types
>
># plex https://support.plex.tv/hc/en-us/articles/201543147-What-network-ports-do-I-need-to-allow-through-my-firewall-
>pass in quick on $extl_if proto $protocols from any to any port $plex_services
>
># but allow legit internal traffic
># pass in quick on $extl_if proto { tcp } from any to any port 25565
>pass in quick on $extl_if proto { tcp } from any to any port $tcp_services
>pass in quick on $extl_if proto { udp } from any to $extl_if port $udp_services
>pass in quick on $extl_if proto { tcp } from any to $extl_if port $tcp_services
>pass in quick on $extl_if proto { tcp } from any to $extl_if port $koan_services
>pass in quick on $extl_if proto $protocols from $local_net to $extl_if
>pass in quick on $extl_if proto { tcp } from $local_net to any port $tcp_services
>pass in quick on $extl_if proto $protocols from $local_net to any port $unifi_services
>pass in quick on $zero_if proto $protocols from $zero_net to any port $unifi_services
>
># outbound
># block drop out quick log on $extl_if proto $protocols from any to 149.56.72.190
>
># bhyve and qemu taps
># dhcp etc for bridged bhyve instances
>pass in quick on $bridge proto udp from any port $dhcp to any port $dhcp
>pass out quick on $bridge proto udp from any port $dhcp to any port $dhcp
>pass in quick on $bridge proto icmp from any to any
># DNS, ZeroTier, and a bunch of stuff I don&#x27;t even know what it is anymore
>pass out quick on $bridge proto udp from any to any port $udp_services
>pass in quick on $bridge proto udp from any port $udp_services to any
># general TCP services are also permitted
>pass in quick on $bridge proto tcp from any to any port $tcp_services
>pass out quick on $bridge proto tcp from any to any port $tcp_services
>pass out on $bridge proto tcp from any to any
>
># you shall not pass
>block drop in log on $extl_if from $martians to any
>block drop out log on $extl_if from any to $martians
>block drop in log on $extl_if proto $protocols from any to any port $blocked_ports
>
># handle script kiddies and other nasties on demand
>block drop in log on $extl_if from &lt;badhosts&gt; to any
>
># o ye of little faith
># pass in log all
># bhyve gets everything
># pass in quick on $extl_if from any to $hive_net
># pass out quick on $extl_if from $hive_net to any
>antispoof for $extl_if inet
>pass out all
></textarea>
> <li class="option-copy"><a href="#copy" id="copySnippetToClipboard">Copy Snippet</a></li>
> <li class="option-edit"><a href="#edit" id="editSnippet">Edit Snippet</a></li>
> 
> <li class="option-wordwrap">
> <label for="wordwrap">
> <input type="checkbox" id="wordwrap"> Wordwrap
> </label>
> </li>
> 
> </ul>
>
> <div id="copy" class="confirm-modal">
> <form method="POST" action="">
> Snippet content copied to clipboard.
> </form>
> </div>
>
> <div id="delete" class="confirm-modal">
> <form method="POST" action="">
> <input type="hidden" name="csrfmiddlewaretoken" value="YTashpf7VBTYDB3cb50lYhhuNPJgG6JrUo9UfWswgGK2PiAe8SjC0hM5G58JXA64">
> Are you sure to delete this snippet?
> <button class="btn" name="delete" value="1" type="submit">Yes, Delete</button>
> <a href="#" class="no">No, don't delete</a>
> </form>
> </div>
>
>
><main>
> 
>
> 
>
> <div class="snippet-code"><ol><li id="l1"># /etc/pf.conf</li><li id="l2"># macros</li><li id="l3">protocols = &quot;{ tcp, udp }&quot;</li><li id="l4">blocked_ports = &quot;{ syslog, epmd, amqp, couchdb }&quot;</li><li id="l5">tcp_services = &quot;{ domain, http, rsync, 1935, https, smtp, 2200,</li><li id="l6">couchdb, amqp, 1973, 2008, 2010, 4000, 5000, 5050, 5900, 6600, 7000, 8000, 8008, 9000, bgp,</li><li id="l7">1179, 25565, 9333, 9334, 9335, 9993, 42853, 2049, 10090 }&quot;</li><li id="l8">udp_services = &quot;{ domain, 9000, 9993, 42853, 21027, 3478, 30000, 26000 7777,7778,7779, 54321, vxlan }&quot;</li><li id="l9">plex_services	= &quot;{ 4444, 32400, 1900, 3005, 5353, 8324, 32469, 32410, 32412, 32413, 32414 }&quot;</li><li id="l10"># https://help.ubnt.com/hc/en-us/articles/218506997-UniFi-Ports-Used</li><li id="l11">unifi_services	= &quot;{ 1900, 8443, 10001, 3478, 8080 }&quot;</li><li id="l12">koan_services	= &quot;{ http, https, amqp, 4000, 4003, 8000 }&quot;</li><li id="l13">martians = &quot;{ 127.0.0.0/8, 192.168.0.0/16, \</li><li id="l14"> 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \</li><li id="l15"> 0.0.0.0/8 }&quot;</li><li id="l16">icmp4_types	= &quot;{ echoreq, unreach }&quot;</li><li id="l17">icmp6_types	= &quot;{ echoreq, unreach, neighbradv, neighbrsol, routeradv, routersol }&quot;</li><li id="l18">&#8203;</li><li id="l19">zerotier	= &quot;{ 9990:9999, 42853 }&quot;</li><li id="l20">dhcp		= &quot;{ bootpc, bootps, tftp, dhcpv6-client, dhcpv6-server }&quot;</li><li id="l21">&#8203;</li><li id="l22"># interfaces</li><li id="l23">extl_if = &quot;igb0&quot;</li><li id="l24"># for bastille not to complain</li><li id="l25">ext_if = $extl_if</li><li id="l26">intl_if = &quot;lo0&quot;</li><li id="l27">jail_if = &quot;lo1&quot;</li><li id="l28">hive_if = &quot;vm-public&quot;</li><li id="l29">koan_if = &quot;ztagim5o45dhe4c&quot;</li><li id="l30">zero_if = &quot;zt1flo98dm17np8&quot;</li><li id="l31">bridge = &quot;{ tap0, tap1, igb0, vm-public }&quot;</li><li id="l32">&#8203;</li><li id="l33"># networks</li><li id="l34">internet = $extl_if:network</li><li id="l35">intl_net = $intl_if:network</li><li id="l36">jail_net = $jail_if:network</li><li id="l37">hive_net = $hive_if:network</li><li id="l38">zero_net = $zero_if:network</li><li id="l39">zero_net = &quot;{ fc7b:c4d6:6be2:8e50:6c98::/40 }&quot;</li><li id="l40">koan_net = &quot;{ fca2:927d:4de2:8e50:6c98::/40 }&quot;</li><li id="l41">local_net= &quot;172.16.0.0/16&quot;</li><li id="l42">hive_net = &quot;172.16.0.0/16&quot;</li><li id="l43">&#8203;</li><li id="l44"># limits</li><li id="l45"># bigger state tables help erlang receive sockets faster</li><li id="l46"># https://blog.tyk.nu/blog/fun-with-freebsd-listen-queue-overflow/</li><li id="l47">set limit { states 200000, frags 40000, src-nodes 40000 }</li><li id="l48">set timeout { adaptive.start 180000, adaptive.end 200000 }</li><li id="l49">&#8203;</li><li id="l50"># trusted nets and devices</li><li id="l51">set skip on { $intl_if, $jail_if }</li><li id="l52">set skip on { $zero_if, $koan_if }</li><li id="l53">&#8203;</li><li id="l54">&#8203;</li><li id="l55"># tables</li><li id="l56">table &lt;badhosts&gt; persist file &quot;/etc/pf.blocklist&quot;</li><li id="l57">&#8203;</li><li id="l58"># clean packets are happy packets</li><li id="l59">scrub in on $extl_if all fragment reassemble</li><li id="l60"># scrub all reassemble tcp -- breaks VMs</li><li id="l61"># scrub log all reassemble tcp</li><li id="l62">&#8203;</li><li id="l63"># jails are allowed outbound connections but not inbound</li><li id="l64"># these should be set up explicitly using spiped or similar</li><li id="l65"># nat on $extl_if inet from !($extl_if) -&gt; ($extl_if:0)</li><li id="l66">nat on $extl_if inet from $jail_net -&gt; ($extl_if:0)</li><li id="l67"># bastille0</li><li id="l68"># nat on $extl_if from &lt;jails&gt; to any -&gt; ($extl_if:0)</li><li id="l69"># enable jail redirection</li><li id="l70">table &lt;jails&gt; persist file &quot;/etc/pf.jails&quot;</li><li id="l71">rdr-anchor &quot;jails/*&quot;</li><li id="l72">&#8203;</li><li id="l73"># minecraft</li><li id="l74">#rdr on $extl_if proto { tcp } from any to $extl_if port 25565 -&gt; 100.64.0.153 port 25565</li><li id="l75">#rdr on $extl_if proto { tcp } from any to $extl_if port 8008 -&gt; 100.64.0.110 port 8008</li><li id="l76">&#8203;</li><li id="l77"># block by default</li><li id="l78"># block in log all</li><li id="l79">&#8203;</li><li id="l80"># ipv6 tunnel</li><li id="l81">pass in quick on $extl_if proto icmp6 all</li><li id="l82">pass out quick on $extl_if inet proto {udp, tcp} from any to any keep state</li><li id="l83">pass out quick on $extl_if inet6 proto {udp, tcp} from any to any keep state</li><li id="l84"># dhcp etc for bridged bhyve instances</li><li id="l85">pass in quick on $extl_if proto {tcp, udp} from any port $dhcp to any port $dhcp</li><li id="l86">pass out quick on $extl_if proto {tcp, udp} from any port $dhcp to any port $dhcp</li><li id="l87">&#8203;</li><li id="l88"># permit zerotier and ICMP everywhere</li><li id="l89">pass in quick on $extl_if proto {udp, tcp} from any to any port $zerotier</li><li id="l90">pass in on $extl_if inet proto icmp from any to any</li><li id="l91"># icmp-type $icmp_types</li><li id="l92">pass in on $bridge inet proto icmp from any to any icmp-type $icmp4_types</li><li id="l93">&#8203;</li><li id="l94"># plex https://support.plex.tv/hc/en-us/articles/201543147-What-network-ports-do-I-need-to-allow-through-my-firewall-</li><li id="l95">pass in quick on $extl_if proto $protocols from any to any port $plex_services</li><li id="l96">&#8203;</li><li id="l97"># but allow legit internal traffic</li><li id="l98"># pass in quick on $extl_if proto { tcp } from any to any port 25565</li><li id="l99">pass in quick on $extl_if proto { tcp } from any to any port $tcp_services</li><li id="l100">pass in quick on $extl_if proto { udp } from any to $extl_if port $udp_services</li><li id="l101">pass in quick on $extl_if proto { tcp } from any to $extl_if port $tcp_services</li><li id="l102">pass in quick on $extl_if proto { tcp } from any to $extl_if port $koan_services</li><li id="l103">pass in quick on $extl_if proto $protocols from $local_net to $extl_if</li><li id="l104">pass in quick on $extl_if proto { tcp } from $local_net to any port $tcp_services</li><li id="l105">pass in quick on $extl_if proto $protocols from $local_net to any port $unifi_services</li><li id="l106">pass in quick on $zero_if proto $protocols from $zero_net to any port $unifi_services</li><li id="l107">&#8203;</li><li id="l108"># outbound</li><li id="l109"># block drop out quick log on $extl_if proto $protocols from any to 149.56.72.190</li><li id="l110">&#8203;</li><li id="l111"># bhyve and qemu taps</li><li id="l112"># dhcp etc for bridged bhyve instances</li><li id="l113">pass in quick on $bridge proto udp from any port $dhcp to any port $dhcp</li><li id="l114">pass out quick on $bridge proto udp from any port $dhcp to any port $dhcp</li><li id="l115">pass in quick on $bridge proto icmp from any to any</li><li id="l116"># DNS, ZeroTier, and a bunch of stuff I don&#39;t even know what it is anymore</li><li id="l117">pass out quick on $bridge proto udp from any to any port $udp_services</li><li id="l118">pass in quick on $bridge proto udp from any port $udp_services to any</li><li id="l119"># general TCP services are also permitted</li><li id="l120">pass in quick on $bridge proto tcp from any to any port $tcp_services</li><li id="l121">pass out quick on $bridge proto tcp from any to any port $tcp_services</li><li id="l122">pass out on $bridge proto tcp from any to any</li><li id="l123">&#8203;</li><li id="l124"># you shall not pass</li><li id="l125">block drop in log on $extl_if from $martians to any</li><li id="l126">block drop out log on $extl_if from any to $martians</li><li id="l127">block drop in log on $extl_if proto $protocols from any to any port $blocked_ports</li><li id="l128">&#8203;</li><li id="l129"># handle script kiddies and other nasties on demand</li><li id="l130">block drop in log on $extl_if from &lt;badhosts&gt; to any</li><li id="l131">&#8203;</li><li id="l132"># o ye of little faith</li><li id="l133"># pass in log all</li><li id="l134"># bhyve gets everything</li><li id="l135"># pass in quick on $extl_if from any to $hive_net</li><li id="l136"># pass out quick on $extl_if from $hive_net to any</li><li id="l137">antispoof for $extl_if inet</li><li id="l138">pass out all</li></ol></div>
>
>
> <div id="edit">
> <header class="sub">
> <h2>Edit this Snippet</h2>
> </header>
>
> 
>
><form method="post" action="" class="snippet-form ">
> <input type="hidden" name="csrfmiddlewaretoken" value="YTashpf7VBTYDB3cb50lYhhuNPJgG6JrUo9UfWswgGK2PiAe8SjC0hM5G58JXA64">
> 
>
> <input type="text" name="title" autocomplete="off" id="id_title"> 
>
> 
> <label for="id_lexer">Syntax</label>
> <select name="lexer" id="id_lexer">
> <optgroup label="Text">
> <option value="_text">Plain Text</option>
>
> <option value="_markdown">Markdown</option>
>
> <option value="_rst">reStructuredText</option>
>
> </optgroup>
> <optgroup label="Code">
> <option value="_code">Plain Code</option>
>
> <option value="applescript">AppleScript</option>
>
> <option value="arduino">Arduino</option>
>
> <option value="bash">Bash</option>
>
> <option value="bat">Batchfile</option>
>
> <option value="c">C</option>
>
> <option value="clojure">Clojure</option>
>
> <option value="cmake">CMake</option>
>
> <option value="coffee-script">CoffeeScript</option>
>
> <option value="common-lisp">Common Lisp</option>
>
> <option value="console">Console/Bash Session</option>
>
> <option value="cpp">C++</option>
>
> <option value="cpp-objdump">cpp-objdump</option>
>
> <option value="csharp">C#</option>
>
> <option value="css">CSS</option>
>
> <option value="cuda">CUDA</option>
>
> <option value="d">D</option>
>
> <option value="dart">Dart</option>
>
> <option value="delphi">Delphi</option>
>
> <option value="diff">Diff</option>
>
> <option value="django">Django/Jinja</option>
>
> <option value="docker">Docker</option>
>
> <option value="elixir">Elixir</option>
>
> <option value="erlang">Erlang</option>
>
> <option value="go">Go</option>
>
> <option value="handlebars">Handlebars</option>
>
> <option value="haskell">Haskell</option>
>
> <option value="html">HTML</option>
>
> <option value="html+django">HTML + Django/Jinja</option>
>
> <option value="ini">INI</option>
>
> <option value="ipythonconsole">IPython console session</option>
>
> <option value="irc">IRC logs</option>
>
> <option value="java">Java</option>
>
> <option value="js">JavaScript</option>
>
> <option value="json">JSON</option>
>
> <option value="jsx">JSX/React</option>
>
> <option value="kotlin">Kotlin</option>
>
> <option value="less">LessCSS</option>
>
> <option value="lua">Lua</option>
>
> <option value="make">Makefile</option>
>
> <option value="matlab">Matlab</option>
>
> <option value="nginx">Nginx configuration file</option>
>
> <option value="numpy">NumPy</option>
>
> <option value="objective-c">Objective-C</option>
>
> <option value="perl">Perl</option>
>
> <option value="php">PHP</option>
>
> <option value="postgresql">PostgreSQL SQL dialect</option>
>
> <option value="python" selected>Python</option>
>
> <option value="rb">Ruby</option>
>
> <option value="rst">reStructuredText</option>
>
> <option value="rust">Rust</option>
>
> <option value="sass">Sass</option>
>
> <option value="scss">SCSS</option>
>
> <option value="sol">Solidity</option>
>
> <option value="sql">SQL</option>
>
> <option value="swift">Swift</option>
>
> <option value="tex">TeX</option>
>
> <option value="typoscript">TypoScript</option>
>
> <option value="vim">VimL</option>
>
> <option value="xml">XML</option>
>
> <option value="xslt">XSLT</option>
>
> <option value="yaml">YAML</option>
>
> </optgroup>
></select>
> 
>
> 
> <label for="id_expires">Expires</label>
> <select name="expires" id="id_expires">
> <option value="onetime">One Time Snippet</option>
>
> <option value="never">Never expires</option>
>
> <option value="3600">Expire in 1 hour</option>
>
> <option value="86400">Expire in 24 hours</option>
>
> <option value="604800">Expire in 1 week</option>
>
> <option value="2592000" selected>Expire in 1 month</option>
>
> <option value="31536000">Expire in 1 year</option>
>
></select>
> 
>
> 
> <input type="checkbox" name="rtl" id="id_rtl">
> <label for="id_rtl">Right-to-Left</label>
> 
>
> 
> <label for="id_content">Content</label>
> <textarea name="content" cols="40" rows="10" placeholder="Awesome code goes here..." maxlength="262144000" required id="id_content">
># /etc/pf.conf
># macros
>protocols = &quot;{ tcp, udp }&quot;
>blocked_ports = &quot;{ syslog, epmd, amqp, couchdb }&quot;
>tcp_services = &quot;{ domain, http, rsync, 1935, https, smtp, 2200,
>couchdb, amqp, 1973, 2008, 2010, 4000, 5000, 5050, 5900, 6600, 7000, 8000, 8008, 9000, bgp,
>1179, 25565, 9333, 9334, 9335, 9993, 42853, 2049, 10090 }&quot;
>udp_services = &quot;{ domain, 9000, 9993, 42853, 21027, 3478, 30000, 26000 7777,7778,7779, 54321, vxlan }&quot;
>plex_services	= &quot;{ 4444, 32400, 1900, 3005, 5353, 8324, 32469, 32410, 32412, 32413, 32414 }&quot;
># https://help.ubnt.com/hc/en-us/articles/218506997-UniFi-Ports-Used
>unifi_services	= &quot;{ 1900, 8443, 10001, 3478, 8080 }&quot;
>koan_services	= &quot;{ http, https, amqp, 4000, 4003, 8000 }&quot;
>martians = &quot;{ 127.0.0.0/8, 192.168.0.0/16, \
> 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
> 0.0.0.0/8 }&quot;
>icmp4_types	= &quot;{ echoreq, unreach }&quot;
>icmp6_types	= &quot;{ echoreq, unreach, neighbradv, neighbrsol, routeradv, routersol }&quot;
>
>zerotier	= &quot;{ 9990:9999, 42853 }&quot;
>dhcp		= &quot;{ bootpc, bootps, tftp, dhcpv6-client, dhcpv6-server }&quot;
>
># interfaces
>extl_if = &quot;igb0&quot;
># for bastille not to complain
>ext_if = $extl_if
>intl_if = &quot;lo0&quot;
>jail_if = &quot;lo1&quot;
>hive_if = &quot;vm-public&quot;
>koan_if = &quot;ztagim5o45dhe4c&quot;
>zero_if = &quot;zt1flo98dm17np8&quot;
>bridge = &quot;{ tap0, tap1, igb0, vm-public }&quot;
>
># networks
>internet = $extl_if:network
>intl_net = $intl_if:network
>jail_net = $jail_if:network
>hive_net = $hive_if:network
>zero_net = $zero_if:network
>zero_net = &quot;{ fc7b:c4d6:6be2:8e50:6c98::/40 }&quot;
>koan_net = &quot;{ fca2:927d:4de2:8e50:6c98::/40 }&quot;
>local_net= &quot;172.16.0.0/16&quot;
>hive_net = &quot;172.16.0.0/16&quot;
>
># limits
># bigger state tables help erlang receive sockets faster
># https://blog.tyk.nu/blog/fun-with-freebsd-listen-queue-overflow/
>set limit { states 200000, frags 40000, src-nodes 40000 }
>set timeout { adaptive.start 180000, adaptive.end 200000 }
>
># trusted nets and devices
>set skip on { $intl_if, $jail_if }
>set skip on { $zero_if, $koan_if }
>
>
># tables
>table &lt;badhosts&gt; persist file &quot;/etc/pf.blocklist&quot;
>
># clean packets are happy packets
>scrub in on $extl_if all fragment reassemble
># scrub all reassemble tcp -- breaks VMs
># scrub log all reassemble tcp
>
># jails are allowed outbound connections but not inbound
># these should be set up explicitly using spiped or similar
># nat on $extl_if inet from !($extl_if) -&gt; ($extl_if:0)
>nat on $extl_if inet from $jail_net -&gt; ($extl_if:0)
># bastille0
># nat on $extl_if from &lt;jails&gt; to any -&gt; ($extl_if:0)
># enable jail redirection
>table &lt;jails&gt; persist file &quot;/etc/pf.jails&quot;
>rdr-anchor &quot;jails/*&quot;
>
># minecraft
>#rdr on $extl_if proto { tcp } from any to $extl_if port 25565 -&gt; 100.64.0.153 port 25565
>#rdr on $extl_if proto { tcp } from any to $extl_if port 8008 -&gt; 100.64.0.110 port 8008
>
># block by default
># block in log all
>
># ipv6 tunnel
>pass in quick on $extl_if proto icmp6 all
>pass out quick on $extl_if inet proto {udp, tcp} from any to any keep state
>pass out quick on $extl_if inet6 proto {udp, tcp} from any to any keep state
># dhcp etc for bridged bhyve instances
>pass in quick on $extl_if proto {tcp, udp} from any port $dhcp to any port $dhcp
>pass out quick on $extl_if proto {tcp, udp} from any port $dhcp to any port $dhcp
>
># permit zerotier and ICMP everywhere
>pass in quick on $extl_if proto {udp, tcp} from any to any port $zerotier
>pass in on $extl_if inet proto icmp from any to any
># icmp-type $icmp_types
>pass in on $bridge inet proto icmp from any to any icmp-type $icmp4_types
>
># plex https://support.plex.tv/hc/en-us/articles/201543147-What-network-ports-do-I-need-to-allow-through-my-firewall-
>pass in quick on $extl_if proto $protocols from any to any port $plex_services
>
># but allow legit internal traffic
># pass in quick on $extl_if proto { tcp } from any to any port 25565
>pass in quick on $extl_if proto { tcp } from any to any port $tcp_services
>pass in quick on $extl_if proto { udp } from any to $extl_if port $udp_services
>pass in quick on $extl_if proto { tcp } from any to $extl_if port $tcp_services
>pass in quick on $extl_if proto { tcp } from any to $extl_if port $koan_services
>pass in quick on $extl_if proto $protocols from $local_net to $extl_if
>pass in quick on $extl_if proto { tcp } from $local_net to any port $tcp_services
>pass in quick on $extl_if proto $protocols from $local_net to any port $unifi_services
>pass in quick on $zero_if proto $protocols from $zero_net to any port $unifi_services
>
># outbound
># block drop out quick log on $extl_if proto $protocols from any to 149.56.72.190
>
># bhyve and qemu taps
># dhcp etc for bridged bhyve instances
>pass in quick on $bridge proto udp from any port $dhcp to any port $dhcp
>pass out quick on $bridge proto udp from any port $dhcp to any port $dhcp
>pass in quick on $bridge proto icmp from any to any
># DNS, ZeroTier, and a bunch of stuff I don&#x27;t even know what it is anymore
>pass out quick on $bridge proto udp from any to any port $udp_services
>pass in quick on $bridge proto udp from any port $udp_services to any
># general TCP services are also permitted
>pass in quick on $bridge proto tcp from any to any port $tcp_services
>pass out quick on $bridge proto tcp from any to any port $tcp_services
>pass out on $bridge proto tcp from any to any
>
># you shall not pass
>block drop in log on $extl_if from $martians to any
>block drop out log on $extl_if from any to $martians
>block drop in log on $extl_if proto $protocols from any to any port $blocked_ports
>
># handle script kiddies and other nasties on demand
>block drop in log on $extl_if from &lt;badhosts&gt; to any
>
># o ye of little faith
># pass in log all
># bhyve gets everything
># pass in quick on $extl_if from any to $hive_net
># pass out quick on $extl_if from $hive_net to any
>antispoof for $extl_if inet
>pass out all
></textarea>
> 
>
> 
> <button class="btn" type="submit">
> Paste Snippet
> 
> &#8984;+&#9166;
> Ctrl+&#9166;
> </button>
> 
>
>
> 
></form>
>
>
> </div>
></main>
>
><script>const e=-1!==navigator.platform.indexOf("Mac");document.body.dataset.platform=e?"mac":"win";const t=document.querySelector(".autofocus textarea");null!==t&&t.focus(),document.body.onkeydown=function(t){const o=e?t.metaKey:t.ctrlKey,n=document.querySelector(".snippet-form");if(n&&13===t.keyCode&&o)return n.submit(),!1};const o=document.getElementById("wordwrap"),n=document.querySelectorAll(".snippet-code");function c(){o.checked?n.forEach(e=>e.classList.add("wordwrap")):n.forEach(e=>e.classList.remove("wordwrap"))}o&&n&&(c(),o.onchange=c);const d=document.getElementById("id_rtl"),l=document.getElementById("id_content");function i(){d.checked?l.dir="rtl":l.dir=""}d&&l&&(i(),d.onchange=i);const r=document.location.hash;if(r.startsWith("#L")){const e=r.substring(2).split(",");e.length>0&&""!==e[0]&&e.forEach(function(e){const t=document.getElementById(`l${e}`);t&&t.classList.add("marked")})}const a=document.querySelectorAll(".snippet-code li");a.forEach(function(e){e.onclick=function(){e.classList.toggle("marked");let t="L";document.querySelectorAll(".snippet-code li.marked").forEach(function(e){"L"!==t&&(t+=","),t+=e.getAttribute("id").substring(1)}),window.location.hash=t}});const u=document.getElementById("copyToClipboard"),s=document.getElementById("copyToClipboardField");u&&s&&(u.onclick=function(e){e.preventDefault(),s.select(),navigator.clipboard.writeText(s.value)});const m=document.getElementById("copySnippetToClipboard"),p=document.getElementById("copySnippetSource"),y=document.getElementById("copy");m&&p&&(m.onclick=function(e){e.preventDefault(),p.select(),navigator.clipboard.writeText(p.value),y.style.maxHeight="80px",window.scrollTo(0,0)});const g=document.getElementById("editSnippet"),f=document.getElementById("edit");g&&f&&(g.onclick=function(e){e.preventDefault(),f.style.display="block",window.scrollTo(f.getBoundingClientRect().x,f.getBoundingClientRect().y)});</script>
>
></body>
></html>

Actions: View

Attachments on bug 274915: 246120 | 246199