## # Interfaces ## ext_if="em0" int_if="em1" vpn_if="tun0" ## # Hosts local ## me_local="{ 127.0.0.1 }" me_out="{ 192.168.178.2 }" me_in="{ 192.168.23.1 }" me_vpn="{ 172.16.241.1 }" fritz_router="{ 192.168.178.1 }" ## # Hosts jails/intranet ## webserver="{ 192.168.1.4 }" mailserver="{ 192.168.1.2 }" andreas="{ 192.168.1.6 }" ezm="{ 192.168.1.7 }" git="{ 192.168.1.5 }" avi="{ 192.168.1.9 }" avidev="{ 192.168.1.11 }" amok="{ 192.168.23.150 }" zabbix="{ 192.168.1.13 }" ## # Host-ranges ## hosts="{ 192.168.23.10, 192.168.23.150, 192.168.23.151, 192.168.23.101 - 192.168.23.112 }" ## # Networks ## net_dev="{ 192.168.23.0/24 }" net_dmz="{ 192.168.1.0/24 }" net_vpn="{ 172.16.241.0/24 }" ## # Ports out/main ## tcp_out="{ 1:65535 }" udp_out="{ 1:65535 }" ## # Ports services ## tcp_http="{ 80 }" tcp_https="{ 443 }" tcp_key="{ 333 }" mail="{ 25, 143, 465, 587, 993 }" udp_vpn="{ 1194, 1201 }" tcp_ssh="{ 22 }" tcp_ups="{ 3551 }" tcp_git="{ 32 }" tcp_avi="{ 34 }" tcp_avidev="{ 35 }" udp_dhcp="{ 67 }" udp_ntp="{ 123 }" tcp_zabbix_active="10051" ## # Misc ## icmp_types="echoreq" httpsrv="(max-src-conn 120 max-src-conn-rate 120/60, overload flush global)" mailsrv="(max-src-conn 120 max-src-conn-rate 120/60, overload flush global)" ## # Tables ## table counters table counters file "/etc/pf/static-blocked" ## # Options ## set limit states 8000 set limit frags 2000 set limit src-nodes 6000 set limit table-entries 50000 set block-policy drop set loginterface $ext_if set state-policy floating set fingerprints "/etc/pf.os" set debug urgent set ruleset-optimization none set skip on lo set timeout { tcp.closing 900, tcp.finwait 30, tcp.closed 30 } set timeout { udp.first 30, udp.single 30, udp.multiple 30 } set timeout { icmp.first 20, icmp.error 10 } set timeout { other.first 30, other.single 30, other.multiple 30 } set timeout { adaptive.start 6000, adaptive.end 8100 } scrub in no-df random-id fragment reassemble ## # Traffic outside interface ## altq on $ext_if cbq bandwidth 530Mb queue { clie_vodafone, serv_vodafone } queue clie_vodafone bandwidth 490Mb priority 5 cbq(default, borrow) queue serv_vodafone bandwidth 40Mb priority 4 cbq(red) ## # NAT ## # Vodafone nat on $ext_if inet from !($ext_if) -> ($ext_if:0) nat on $ext_if from lo1 to any -> ($ext_if) nat on $vpn_if from $net_dmz to $net_vpn -> ($vpn_if) nat on $int_if from $net_dmz to any -> ($int_if:0) # All nat-anchor "ftp-proxy/*" rdr-anchor "ftp-proxy/*" ## # External interface Kabel Vodafone ## rdr on $ext_if proto tcp from any to $me_out port $tcp_http -> $webserver rdr on $ext_if proto tcp from any to $me_out port $tcp_https -> $webserver rdr on $ext_if proto tcp from any to $me_out port $mail -> $mailserver rdr pass on $ext_if proto tcp from any to any port $tcp_git -> $git port 22 rdr pass on $ext_if proto tcp from any to any port $tcp_avidev -> $avidev port 22 rdr pass on $vpn_if proto tcp from any to $me_vpn port $mail -> $mailserver rdr pass on $vpn_if proto tcp from any to $me_vpn port $tcp_ssh -> $me_in ## # Internal Interface ## rdr pass on $int_if proto tcp from any to any port 21 -> $me_local port 8021 ## # VPN ## rdr pass on $vpn_if proto tcp from any to $me_vpn port $tcp_zabbix_active -> $zabbix ## # Rules ## # all interfaces #################################### block log anchor "ftp-proxy/*" antispoof quick for { lo $int_if $ext_if } pass in inet proto icmp all icmp-type $icmp_types pass in on $int_if inet proto tcp from $net_dev to $me_local port 8021 flags S/SA # outside interface Vodafone #################################### pass in on $ext_if inet proto tcp from any to $webserver port $tcp_https flags S/SA keep state $httpsrv queue(serv_vodafone) pass in on $ext_if inet proto tcp from any to $webserver port $tcp_http flags S/SA keep state $httpsrv queue(serv_vodafone) pass in on $ext_if inet proto tcp from any to $mailserver port $mail flags S/SA keep state $mailsrv queue(serv_vodafone) pass in on $ext_if inet proto tcp from any to $me_out port $tcp_key flags S/SA keep state $httpsrv queue(serv_vodafone) pass in on $ext_if inet proto udp from any to $me_out port $udp_vpn keep state queue(serv_vodafone) pass out on $ext_if inet6 proto udp from any to any port $udp_out modulate state pass out on $ext_if inet6 proto tcp from any to any port $tcp_out flags S/SA modulate state pass out on $ext_if inet6 proto icmp6 from any to any pass out on $ext_if inet proto udp from any to any port $udp_out modulate state pass out on $ext_if inet proto tcp from any to any port $tcp_out flags S/SA modulate state pass out on $ext_if inet proto icmp from any to any # inside interface Dev #################################### pass in on $int_if inet proto tcp from $hosts to any flags S/SA keep state pass in on $int_if inet proto udp from $hosts to any keep state pass out on $int_if inet6 proto tcp from any to any flags S/SA keep state pass out on $int_if inet6 proto udp from any to any keep state pass out on $int_if inet proto tcp from any to any flags S/SA keep state pass out on $int_if inet proto udp from any to any keep state pass out on $int_if inet proto icmp from any to any # vpn ################################### pass in on $vpn_if from any to $me_vpn keep state pass in on $vpn_if inet proto tcp from any to $mailserver port $mail keep state pass in on $vpn_if inet proto tcp from $net_vpn to $net_dmz keep state pass in on $vpn_if inet proto tcp from $net_vpn to $net_dev keep state pass out on $vpn_if from any to any keep state # Jails #pass in on lo1 #pass out on lo1 # bad boys #################################### block log from to any block log from to any