soediro · March 24, 2018 21:25 · soediro · Mar 24, 2018
diff --git a/pf.conf b/pf.conf
 # /etc/pf.conf

 ext_if="xn0"
 webjail="10.10.60.1"
 webports = "{http, https}"
 int_tcp_services = "{domain, ntp, smtp, www, https, ftp, ssh, 55536}"
 int_udp_services = "{domain, ntp}"
 icmp_types = "echoreq"

 set skip on lo
 set loginterface $ext_if

 # Normalization
 scrub in all random-id fragment reassemble

 #Redirect web traffic to the jail.
 rdr on $ext_if proto tcp from any to ($ext_if) port http -> $webjail port http
 rdr on $ext_if proto tcp from any to ($ext_if) port https -> $webjail port https

 #Allow jail traffic to nat back to anywhere
 nat on $ext_if from $webjail to any -> ($ext_if)

 # Filtering rules
 block return in log all
 block out all

 antispoof quick for $ext_if

 # Block 'rapid-fire brute force attempts
 table <bruteforce> persist
 block quick from <bruteforce>
 # SSHGuard
 table <sshguard> persist
 block in quick on xn0 from <sshguard> label "ssh bruteforce"
 table <blockgeoip> persist file "/etc/blocked.txt"
 block in log quick on $ext_if from <blockgeoip> to any
 # ftp-proxy needs to have an anchor
 anchor "ftp-proxy/*"

 # SSH is listening on port 55536
 pass in quick proto tcp to $ext_if port 55536 keep state (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush global)

 # Webserver
 #pass proto tcp from any to $ext_if port $webports

 #Additional webjail rules. "pass out" not required because "nat pass" bypasses outgoing filters
 pass in on $ext_if proto tcp to $webjail port { http, https } keep state
 pass out on $ext_if proto tcp to $webjail port { http, https } keep state

 # Allow essential outgoing traffic
 pass out quick on $ext_if proto tcp to any port $int_tcp_services
 pass out quick on $ext_if proto udp to any port $int_udp_services
 pass out quick on $ext_if proto tcp to any
 pass inet proto icmp all icmp-type $icmp_types keep state
	# /etc/pf.conf

	ext_if="xn0"
	webjail="10.10.60.1"
	webports = "{http, https}"
	int_tcp_services = "{domain, ntp, smtp, www, https, ftp, ssh, 55536}"
	int_udp_services = "{domain, ntp}"
	icmp_types = "echoreq"

	set skip on lo
	set loginterface $ext_if

	# Normalization
	scrub in all random-id fragment reassemble

	#Redirect web traffic to the jail.
	rdr on $ext_if proto tcp from any to ($ext_if) port http -> $webjail port http
	rdr on $ext_if proto tcp from any to ($ext_if) port https -> $webjail port https

	#Allow jail traffic to nat back to anywhere
	nat on $ext_if from $webjail to any -> ($ext_if)

	# Filtering rules
	block return in log all
	block out all

	antispoof quick for $ext_if

	# Block 'rapid-fire brute force attempts
	table <bruteforce> persist
	block quick from <bruteforce>
	# SSHGuard
	table <sshguard> persist
	block in quick on xn0 from <sshguard> label "ssh bruteforce"
	table <blockgeoip> persist file "/etc/blocked.txt"
	block in log quick on $ext_if from <blockgeoip> to any
	# ftp-proxy needs to have an anchor
	anchor "ftp-proxy/*"

	# SSH is listening on port 55536
	pass in quick proto tcp to $ext_if port 55536 keep state (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush global)

	# Webserver
	#pass proto tcp from any to $ext_if port $webports

	#Additional webjail rules. "pass out" not required because "nat pass" bypasses outgoing filters
	pass in on $ext_if proto tcp to $webjail port { http, https } keep state
	pass out on $ext_if proto tcp to $webjail port { http, https } keep state

	# Allow essential outgoing traffic
	pass out quick on $ext_if proto tcp to any port $int_tcp_services
	pass out quick on $ext_if proto udp to any port $int_udp_services
	pass out quick on $ext_if proto tcp to any
	pass inet proto icmp all icmp-type $icmp_types keep state