######################################################################### # macros # interfaces and networks extl_if = "ng0" lan_if = "{ dpni1, dpni2, dpni3 }" wifi_if = "dpni2" loop_if = "lo0" jail_if = "lo1" dmz_if = "dpni1" # networks jail_net = $jail_if:network internet = $extl_if:network dmz_net = $dmz_if:network # services web = "{ http, https }" dns = "{ domain }" # misc both = "{ udp, tcp }" tcp_flags = "flags S/FSRA keep state" ratelimit = "(max-src-conn 15, max-src-conn-rate 5/3, overload flush global)" # tables table const { \ 0/8, 10/8, 100.64/10, 127/8, 169.254/16, 172.16/12, 192/24, \ 192.0.2/24, 192.88.99/24, 192.168/16, 198.18/15, 198.51.100/24, \ 203.0.113/24, 224/4, 240/4, 255.255.255.255, \ ::1/128, ::ffff:0:0/96, 64:ff9b::/96, 100::/64, 2001:20::/28, \ 2001:db8::/32 } # , fc00::/7 } table persist file "/etc/pf.blocklist" table persist file "/etc/pf.ratelimit" ######################################################################### # options set skip on { $loop_if, $jail_if } set skip on $lan_if set block-policy drop set loginterface $extl_if # tidy packets are safe packets # fiddle with zerotier bullshit scrub in on $extl_if all fragment reassemble ######################################################################### # ethernet ######################################################################### # normalisation ######################################################################### # queueing ######################################################################### # translation ## streaming ######################################################################### # filters # all traffic is blocked and logged unless explicitly stated otherwise block log all # traffic shaping match on $extl_if all dnqueue (2, 1) # streaming # pass in quick proto tcp to 127.0.0.1 port 9000 # generally allow icmp internally block in log quick on $extl_if proto { icmp, igmp, icmp6 } pass in quick proto { icmp, igmp, icmp6 } pass out quick proto { icmp, igmp, icmp6 } # Allow ping/ping6 in both directions (in/out). pass quick inet6 proto icmp6 icmp6-type echoreq label "icmp" pass quick inet proto icmp icmp-type echoreq label "icmp" # internet plumbing pass in quick on $extl_if proto udp to port $dns label "dns" pass in quick on $extl_if proto tcp to port $dns label "dns" pass out quick on $extl_if proto udp to port $dns label "dns" pass out quick on $extl_if proto tcp to port $dns $tcp_flags label "dns" pass out log all label "trash"