# Relevant rc.conf bits # pf_enable="YES" # pflog_enable="YES" # pf_rules="/etc/pf.conf" # # expiretable_enable="YES" # expiretable_flags="-t 24h bruteforce" icmp_types = "{ echoreq, unreach }" system_tcp_services = "{ ssh, domain, ntp, https, ftp-data, ftp, http, whois }" system_udp_services = "{ domain, ntp }" vpn_services = "{ https }" recovery_hosts = "{ 67.42.3.9/32, 192.160.132.20/32 }" vpn_host = "67.42.3.9/32" external_addr = "54.191.231.38/32" int_if = "xn0" # macro for internal interface localnet = $int_if:network table persist file "/etc/pf.blocked_subnets" table persist file "/etc/pf.bruteforce" table persist file "/etc/pf.tor" martians = "{ 127.0.0.0/8, 192.168.0.0/16, 198.18.0.0/16, \ 198.19.0.0/16, 10.0.0.0/8, 169.254.0.0/16, \ 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 }" set skip on lo0 scrub all fragment reassemble no-df random-id rdr pass on $int_if proto tcp from any to $localnet port $vpn_services -> $vpn_host rdr pass on $int_if proto udp from any to $localnet port $vpn_services -> $vpn_host block in log all label "DEFAULT BLOCK:" block drop in quick on $int_if from $martians to any block drop out quick on $int_if from any to $martians # IPs that are attempting ssh access block drop in log quick from to any block out log quick from any to # networks that don't behave themselves block drop in log quick from to any block out log quick from any to # trop traffic to/from tor. don't want it block in from to any block out from any to pass quick inet proto tcp from any port 67:68 to any port 67:68 keep state flags S/SA pass quick inet proto udp from any port 67:68 to any port 67:68 keep state pass in quick log proto tcp from any to $localnet port ssh \ flags S/SA keep state \ (max-src-conn 15, max-src-conn-rate 5/3, \ overload flush global) pass in quick log inet proto tcp from $recovery_hosts to $int_if port ssh flags S/SA keep state pass in inet proto tcp from any port $vpn_services modulate state flags S/SA pass in inet proto udp from any port $vpn_services keep state pass out inet proto tcp to $vpn_host port $vpn_services modulate state flags S/SA pass out inet proto udp to $vpn_host port $vpn_services keep state pass out inet proto tcp to any port $system_tcp_services modulate state flags S/SA pass out inet proto udp to any port $system_udp_services keep state pass inet proto icmp all icmp-type $icmp_types keep state # allow out the default range for traceroute(8): pass out inet proto udp from any to any port 33433 >< 33626 keep state #EOF