pfSense

#System aliases

loopback = "{ lo0 }"

WAN = "{ re1 }"

LAN = "{ re0 }"

OPT1 = "{ re2 }"

#SSH Lockout Table

table <sshlockout> persist

#Snort2C table

table <snort2c>

table <virusprot>

# User Aliases

# Gateways

GWMgmtNetworkGateway = " route-to ( re0 10.110.0.4 ) "

GWwan = "  "

set loginterface re1

set loginterface re0

set loginterface re2

set optimization normal

set limit states 198000

set skip on pfsync0

scrub in on $WAN all   max-mss -39 fragment reassemble

scrub in on $LAN all    fragment reassemble

scrub in on $OPT1 all    fragment reassemble

nat-anchor "natearly/*"

nat-anchor "natrules/*"

# Outbound NAT rules

# Subnets to NAT

tonatsubnets    = "{ 10.110.0.0/24 10.110.19.0/24  }"

nat on $WAN  from $tonatsubnets port 500 to any port 500 -> 10.110.119.7/32 port 500

nat on $WAN  from $tonatsubnets port 5060 to any port 5060 -> 10.110.119.7/32 port 5060

nat on $WAN  from $tonatsubnets to any -> 10.110.119.7/32 port 1024:65535

# Load balancing anchor

rdr-anchor "relayd/*"

# TFTP proxy

rdr-anchor "tftp-proxy/*"

table <direct_networks> { 10.110.119.0/24 10.110.0.0/24 10.110.19.0/24 }

# UPnPd rdr anchor

rdr-anchor "miniupnpd"

anchor "relayd/*"

anchor "firewallrules"

#---------------------------------------------------------------------------

# default deny rules

#---------------------------------------------------------------------------

block in log all label "Default deny rule"

block out log all label "Default deny rule"

# We use the mighty pf, we cannot be fooled.

block quick proto { tcp, udp } from any port = 0 to any

block quick proto { tcp, udp } from any to any port = 0

# Block all IPv6

block in quick inet6 all

block out quick inet6 all

# snort2c

block quick from <snort2c> to any label "Block snort2c hosts"

block quick from any to <snort2c> label "Block snort2c hosts"

# package manager early specific hook

anchor "packageearly"

# carp

anchor "carp"

# SSH lockout

block in log quick proto tcp from <sshlockout> to any port 22 label "sshlockout"

block in quick from <virusprot> to any label "virusprot overload table"

table <bogons> persist file "/etc/bogons"

# block bogon networks

# http://www.cymru.com/Documents/bogon-bn-nonagg.txt

anchor "wanbogons"

block in log quick on $WAN from <bogons> to any label "block bogon networks from WAN"

antispoof for re1

antispoof for re0

antispoof for re2

anchor "spoofing"

# loopback

anchor "loopback"

pass in on $loopback all label "pass loopback"

pass out on $loopback all label "pass loopback"

anchor "firewallout"

# let out anything from the firewall host itself and decrypted IPsec traffic

pass out all keep state allow-opts label "let out anything from firewall host itself"

# make sure the user cannot lock himself out of the webConfigurator or SSH

anchor "anti-lockout"

pass in quick on re0 from any to (re0) keep state label "anti-lockout rule"

# NAT Reflection rules

# User-defined rules follow

pass  in  quick  on $LAN  from 10.110.0.0/24 to any keep state  label "USER_RULE: Default allow LAN to any rule"

# VPN Rules

# package manager late specific hook

anchor "packagelate"

anchor "tftp-proxy/*"

anchor "limitingesr"

# uPnPd

anchor "miniupnpd"