Firewall-Generated Ruleset.txt - pfSense - pfSense bugtracker

Bug #12262 » Firewall-Generated Ruleset.txt

Alhusein Zawi, 08/28/2021 01:02 PM

       set limit table-entries 400000
       set optimization normal
       set limit states 44000
       set limit src-nodes 44000
       #System aliases
       loopback = "{ lo0 }"
       WAN = "{ em0 }"
       LAN = "{ em1 }"
       OPT1 = "{ em2 }"
       IPsec = "{ enc0 }"
       #SSH Lockout Table
       table <sshguard> persist
       #Snort tables
       table <snort2c>
       table <virusprot>
       table <bogons> persist file "/etc/bogons"
       table <negate_networks>
       # User Aliases
       # Gateways
       GWWAN_DHCP = " route-to ( em0 10.0.2.2 ) "
       GWWAN_DHCP6 = " route-to ( em0 10.0.2.2 ) "
       set loginterface em1
       set skip on pfsync0
       set keepcounters
       scrub on $WAN inet all    fragment reassemble
       scrub on $WAN inet6 all    fragment reassemble
       scrub on $LAN inet all    fragment reassemble
       scrub on $LAN inet6 all    fragment reassemble
       scrub on $OPT1 inet all    fragment reassemble
       scrub on $OPT1 inet6 all    fragment reassemble
       no nat proto carp
       no rdr proto carp
       nat-anchor "natearly/*"
       nat-anchor "natrules/*"
       binat on em1 inet from any to any -> 50.50.50.111
       # Outbound NAT rules (automatic)
       # Subnets to NAT
       table <tonatsubnets> { 127.0.0.0/8 ::1/128 192.168.11.0/24 172.17.99.0/24 60.60.60.0 30.30.30.1 10.10.10.1 }
       nat on $WAN inet from <tonatsubnets> to any port 500 -> 10.0.2.15/32  static-port
       nat on $WAN inet6 from <tonatsubnets> to any port 500 -> (em0)  static-port
       nat on $WAN inet from <tonatsubnets> to any -> 10.0.2.15/32 port 1024:65535
       nat on $WAN inet6 from <tonatsubnets> to any -> (em0) port 1024:65535
       # TFTP proxy
       rdr-anchor "tftp-proxy/*"
       # NAT Inbound Redirects
       rdr on em0 inet proto tcp from any to 10.0.2.15 port 21 -> 192.168.11.112
       rdr on em0 inet proto tcp from any to 10.0.2.15 port 21 -> 192.168.11.114
       rdr pass on em0 inet proto tcp from any to 10.0.2.15 port 21 -> 192.168.11.113
       # UPnPd rdr anchor
       rdr-anchor "miniupnpd"
       anchor "openvpn/*"
       anchor "ipsec/*"
       # block IPv4 link-local. Per RFC 3927, link local "MUST NOT" be forwarded by a routing device,
       # and clients "MUST NOT" send such packets to a router. FreeBSD won't route 169.254./16, but
       # route-to can override that, causing problems such as in redmine #2073
       block in log quick from 169.254.0.0/16 to any tracker 1000105581 label "Block IPv4 link-local"
       block in log quick from any to 169.254.0.0/16 tracker 1000105582 label "Block IPv4 link-local"
       #---------------------------------------------------------------------------
       # default deny rules
       #---------------------------------------------------------------------------
       block in log inet all tracker 1000105583 label "Default deny rule IPv4"
       block out log inet all tracker 1000105584 label "Default deny rule IPv4"
       block in log inet6 all tracker 1000105585 label "Default deny rule IPv6"
       block out log inet6 all tracker 1000105586 label "Default deny rule IPv6"
       # IPv6 ICMP is not auxiliary, it is required for operation
       # See man icmp6(4)
       # 1    unreach         Destination unreachable
       # 2    toobig          Packet too big
       # 128  echoreq         Echo service request
       # 129  echorep         Echo service reply
       # 133  routersol       Router solicitation
       # 134  routeradv       Router advertisement
       # 135  neighbrsol      Neighbor solicitation
       # 136  neighbradv      Neighbor advertisement
       pass  quick inet6 proto ipv6-icmp from any to any icmp6-type {1,2,135,136} tracker 1000105587 keep state
       # Allow only bare essential icmpv6 packets (NS, NA, and RA, echoreq, echorep)
       pass out  quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {129,133,134,135,136} tracker 1000105588 keep state
       pass out  quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {129,133,134,135,136} tracker 1000105589 keep state
       pass in  quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {128,133,134,135,136} tracker 1000105590 keep state
       pass in  quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type {128,133,134,135,136} tracker 1000105591 keep state
       pass in  quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {128,133,134,135,136} tracker 1000105592 keep state
       pass in  quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type {128,133,134,135,136} tracker 1000105593 keep state
       # We use the mighty pf, we cannot be fooled.
       block log quick inet proto { tcp, udp } from any port = 0 to any tracker 1000105594 label "Block traffic from port 0"
       block log quick inet proto { tcp, udp } from any to any port = 0 tracker 1000105595 label "Block traffic to port 0"
       block log quick inet6 proto { tcp, udp } from any port = 0 to any tracker 1000105596 label "Block traffic from port 0"
       block log quick inet6 proto { tcp, udp } from any to any port = 0 tracker 1000105597 label "Block traffic to port 0"
       # Snort package
       block log quick from <snort2c> to any tracker 1000105598 label "Block snort2c hosts"
       block log quick from any to <snort2c> tracker 1000105599 label "Block snort2c hosts"
       # CARP rules
       block in log quick proto carp from (self) to any tracker 1000105681
       pass  quick proto carp tracker 1000105682 no state
       # SSH lockout
       block in log quick proto tcp from <sshguard> to (self) port 22 tracker 1000105781 label "sshguard"
       # webConfigurator lockout
       block in log quick proto tcp from <sshguard> to (self) port 80 tracker 1000105831 label "GUI Lockout"
       block in log quick from <virusprot> to any tracker 1000000400 label "virusprot overload table"
       # allow our DHCP client out to the WAN
       pass in  quick on $WAN proto udp from any port = 67 to any port = 68 tracker 1000106041 label "allow dhcp client out WAN"
       pass out  quick on $WAN proto udp from any port = 68 to any port = 67 tracker 1000106042 label "allow dhcp client out WAN"
       # Not installing DHCP server firewall rules for WAN which is configured for DHCP.
       # allow our DHCPv6 client out to the WAN
       pass in  quick on $WAN proto udp from fe80::/10 port = 546 to fe80::/10 port = 546 tracker 1000106043 label "allow dhcpv6 client in WAN"
       pass in  quick on $WAN proto udp from any port = 547 to any port = 546 tracker 1000106044 label "allow dhcpv6 client in WAN"
       # Add Priority to dhcp6c packets if enabled
       pass out  quick on $WAN proto udp from any port = 546 to any port = 547 tracker 1000106045 label "allow dhcpv6 client out WAN"
       antispoof log for $WAN tracker 1000107050
       antispoof log for $LAN tracker 1000108100
       # allow access to DHCPv6 server on LAN
       # We need inet6 icmp for stateless autoconfig and dhcpv6
       pass  quick on $LAN inet6 proto udp from fe80::/10 to fe80::/10 port = 546 tracker 1000108131 label "allow access to DHCPv6 server"
       pass  quick on $LAN inet6 proto udp from fe80::/10 to ff02::/16 port = 546 tracker 1000108132 label "allow access to DHCPv6 server"
       pass  quick on $LAN inet6 proto udp from fe80::/10 to ff02::/16 port = 547 tracker 1000108133 label "allow access to DHCPv6 server"
       pass  quick on $LAN inet6 proto udp from ff02::/16 to fe80::/10 port = 547 tracker 1000108134 label "allow access to DHCPv6 server"
       antispoof log for $OPT1 tracker 1000109150
       # loopback
       pass in  on $loopback inet all tracker 1000110241 label "pass IPv4 loopback"
       pass out  on $loopback inet all tracker 1000110242 label "pass IPv4 loopback"
       pass in  on $loopback inet6 all tracker 1000110243 label "pass IPv6 loopback"
       pass out  on $loopback inet6 all tracker 1000110244 label "pass IPv6 loopback"
       # let out anything from the firewall host itself and decrypted IPsec traffic
       pass out  inet all keep state allow-opts tracker 1000110245 label "let out anything IPv4 from firewall host itself"
       pass out  inet6 all keep state allow-opts tracker 1000110246 label "let out anything IPv6 from firewall host itself"
       pass out  route-to ( em0 10.0.2.2 ) from 10.0.2.15 to !10.0.2.0/24 tracker 1000110341 keep state allow-opts label "let out anything from firewall host itself"
       pass out  on $IPsec all tracker 1000110641 tracker 1000110642 keep state label "IPsec internal host to host"
       # make sure the user cannot lock himself out of the webConfigurator or SSH
       pass in  quick on em1 proto tcp from any to (em1) port { 80 22 } tracker 10002 keep state label "anti-lockout rule"
       # User-defined rules follow
       anchor "userrules/*"
       pass  in  quick  on $LAN inet from 192.168.11.0/24 to any tracker 0100000101 keep state  label "USER_RULE: Default allow LAN to any rule"
       # source address is empty.  label "USER_RULE: Default allow LAN IPv6 to any rule"
       pass  in  quick  on $OPT1 inet from any to any tracker 1628368685 keep state  label "USER_RULE"
       # VPN Rules
       pass in  on $WAN   proto udp from 0.0.0.0/0 to (self) port = 500 tracker 1000210781 keep state label "IPsec: test12262 - inbound isakmp"
       pass in  on $WAN   proto udp from 0.0.0.0/0 to (self) port = 4500 tracker 1000210782 keep state label "IPsec: test12262 - inbound nat-t"
       anchor "tftp-proxy/*"

(1-1/1)

Project

General

Profile

pfSense

Bug #12262 » Firewall-Generated Ruleset.txt