|
1
|
[22.05-RELEASE][admin@6100-2.stevew.lan]/root: pfctl -sr
|
|
2
|
scrub on ix3 inet all fragment reassemble
|
|
3
|
scrub on ix3 inet6 all fragment reassemble
|
|
4
|
scrub on igc0 inet all fragment reassemble
|
|
5
|
scrub on igc0 inet6 all fragment reassemble
|
|
6
|
scrub on ix2 inet all fragment reassemble
|
|
7
|
scrub on ix2 inet6 all fragment reassemble
|
|
8
|
scrub on ix0 inet all fragment reassemble
|
|
9
|
scrub on ix0 inet6 all fragment reassemble
|
|
10
|
scrub on ix1 inet all fragment reassemble
|
|
11
|
scrub on ix1 inet6 all fragment reassemble
|
|
12
|
scrub on igc1 inet all fragment reassemble
|
|
13
|
scrub on igc1 inet6 all fragment reassemble
|
|
14
|
scrub on igc2 inet all fragment reassemble
|
|
15
|
scrub on igc2 inet6 all fragment reassemble
|
|
16
|
scrub on igc3 inet all fragment reassemble
|
|
17
|
scrub on igc3 inet6 all fragment reassemble
|
|
18
|
scrub on ath0_wlan0 inet all fragment reassemble
|
|
19
|
scrub on ath0_wlan0 inet6 all fragment reassemble
|
|
20
|
anchor "openvpn/*" all
|
|
21
|
anchor "ipsec/*" all
|
|
22
|
block drop in log quick inet from 169.254.0.0/16 to any label "Block IPv4 link-local" ridentifier 1000000101
|
|
23
|
block drop in log quick inet from any to 169.254.0.0/16 label "Block IPv4 link-local" ridentifier 1000000102
|
|
24
|
block drop in log inet all label "Default deny rule IPv4" ridentifier 1000000103
|
|
25
|
block drop out log inet all label "Default deny rule IPv4" ridentifier 1000000104
|
|
26
|
block drop in log inet6 all label "Default deny rule IPv6" ridentifier 1000000105
|
|
27
|
block drop out log inet6 all label "Default deny rule IPv6" ridentifier 1000000106
|
|
28
|
pass quick inet6 proto ipv6-icmp all icmp6-type unreach keep state ridentifier 1000000107
|
|
29
|
pass quick inet6 proto ipv6-icmp all icmp6-type toobig keep state ridentifier 1000000107
|
|
30
|
pass quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state ridentifier 1000000107
|
|
31
|
pass quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep state ridentifier 1000000107
|
|
32
|
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echorep keep state ridentifier 1000000108
|
|
33
|
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state ridentifier 1000000108
|
|
34
|
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state ridentifier 1000000108
|
|
35
|
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state ridentifier 1000000108
|
|
36
|
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state ridentifier 1000000108
|
|
37
|
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echorep keep state ridentifier 1000000109
|
|
38
|
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state ridentifier 1000000109
|
|
39
|
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state ridentifier 1000000109
|
|
40
|
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state ridentifier 1000000109
|
|
41
|
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state ridentifier 1000000109
|
|
42
|
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state ridentifier 1000000110
|
|
43
|
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state ridentifier 1000000110
|
|
44
|
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state ridentifier 1000000110
|
|
45
|
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state ridentifier 1000000110
|
|
46
|
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state ridentifier 1000000110
|
|
47
|
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type echoreq keep state ridentifier 1000000111
|
|
48
|
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routersol keep state ridentifier 1000000111
|
|
49
|
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routeradv keep state ridentifier 1000000111
|
|
50
|
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbrsol keep state ridentifier 1000000111
|
|
51
|
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbradv keep state ridentifier 1000000111
|
|
52
|
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echoreq keep state ridentifier 1000000112
|
|
53
|
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state ridentifier 1000000112
|
|
54
|
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state ridentifier 1000000112
|
|
55
|
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state ridentifier 1000000112
|
|
56
|
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state ridentifier 1000000112
|
|
57
|
pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type echoreq keep state ridentifier 1000000113
|
|
58
|
pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type routersol keep state ridentifier 1000000113
|
|
59
|
pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type routeradv keep state ridentifier 1000000113
|
|
60
|
pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type neighbrsol keep state ridentifier 1000000113
|
|
61
|
pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type neighbradv keep state ridentifier 1000000113
|
|
62
|
block drop log quick inet proto tcp from any port = 0 to any label "Block traffic from port 0" ridentifier 1000000114
|
|
63
|
block drop log quick inet proto udp from any port = 0 to any label "Block traffic from port 0" ridentifier 1000000114
|
|
64
|
block drop log quick inet proto tcp from any to any port = 0 label "Block traffic to port 0" ridentifier 1000000115
|
|
65
|
block drop log quick inet proto udp from any to any port = 0 label "Block traffic to port 0" ridentifier 1000000115
|
|
66
|
block drop log quick inet6 proto tcp from any port = 0 to any label "Block traffic from port 0" ridentifier 1000000116
|
|
67
|
block drop log quick inet6 proto udp from any port = 0 to any label "Block traffic from port 0" ridentifier 1000000116
|
|
68
|
block drop log quick inet6 proto tcp from any to any port = 0 label "Block traffic to port 0" ridentifier 1000000117
|
|
69
|
block drop log quick inet6 proto udp from any to any port = 0 label "Block traffic to port 0" ridentifier 1000000117
|
|
70
|
block drop log quick from <snort2c> to any label "Block snort2c hosts" ridentifier 1000000118
|
|
71
|
block drop log quick from any to <snort2c> label "Block snort2c hosts" ridentifier 1000000119
|
|
72
|
block drop in log quick proto tcp from <sshguard> to (self) port = ssh label "sshguard" ridentifier 1000000301
|
|
73
|
block drop in log quick proto tcp from <sshguard> to (self) port = https label "GUI Lockout" ridentifier 1000000351
|
|
74
|
block drop in log quick from <virusprot> to any label "virusprot overload table" ridentifier 1000000400
|
|
75
|
pass in quick on ix3 proto udp from any port = bootps to any port = bootpc keep state label "allow dhcp client out WAN" ridentifier 1000000461
|
|
76
|
pass out quick on ix3 proto udp from any port = bootpc to any port = bootps keep state label "allow dhcp client out WAN" ridentifier 1000000462
|
|
77
|
pass in quick on ix3 inet6 proto udp from fe80::/10 port = dhcpv6-client to fe80::/10 port = dhcpv6-client keep state label "allow dhcpv6 client in WAN" ridentifier 1000000463
|
|
78
|
pass in quick on ix3 proto udp from any port = dhcpv6-server to any port = dhcpv6-client keep state label "allow dhcpv6 client in WAN" ridentifier 1000000464
|
|
79
|
pass out quick on ix3 proto udp from any port = dhcpv6-client to any port = dhcpv6-server keep state label "allow dhcpv6 client out WAN" ridentifier 1000000465
|
|
80
|
block drop in log on ! ix3 inet from 172.21.16.0/24 to any ridentifier 1000001470
|
|
81
|
block drop in log inet from 172.21.16.170 to any ridentifier 1000001470
|
|
82
|
block drop in log on ix3 inet6 from fe80::92ec:77ff:fe0f:7443 to any ridentifier 1000001470
|
|
83
|
block drop in log on igc0 inet6 from fe80::92ec:77ff:fe0f:7447 to any ridentifier 1000002520
|
|
84
|
block drop in log on igc0 inet6 from fe80::1:1 to any ridentifier 1000002520
|
|
85
|
pass in quick on igc0 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server" ridentifier 1000002541
|
|
86
|
pass in quick on igc0 inet proto udp from any port = bootpc to 192.168.170.1 port = bootps keep state label "allow access to DHCP server" ridentifier 1000002542
|
|
87
|
pass out quick on igc0 inet proto udp from 192.168.170.1 port = bootps to any port = bootpc keep state label "allow access to DHCP server" ridentifier 1000002543
|
|
88
|
pass quick on igc0 inet6 proto udp from fe80::/10 to fe80::/10 port = dhcpv6-client keep state label "allow access to DHCPv6 server" ridentifier 1000002551
|
|
89
|
pass quick on igc0 inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-client keep state label "allow access to DHCPv6 server" ridentifier 1000002552
|
|
90
|
pass quick on igc0 inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-server keep state label "allow access to DHCPv6 server" ridentifier 1000002553
|
|
91
|
pass quick on igc0 inet6 proto udp from ff02::/16 to fe80::/10 port = dhcpv6-server keep state label "allow access to DHCPv6 server" ridentifier 1000002554
|
|
92
|
pass in quick on ix2 proto udp from any port = bootps to any port = bootpc keep state label "allow dhcp client out WAN2" ridentifier 1000002561
|
|
93
|
pass out quick on ix2 proto udp from any port = bootpc to any port = bootps keep state label "allow dhcp client out WAN2" ridentifier 1000002562
|
|
94
|
block drop in log on ! ix2 inet from 192.168.241.0/24 to any ridentifier 1000003570
|
|
95
|
block drop in log inet from 192.168.241.10 to any ridentifier 1000003570
|
|
96
|
block drop in log on ix2 inet6 from fe80::92ec:77ff:fe0f:7444 to any ridentifier 1000003570
|
|
97
|
pass in on lo0 inet all flags S/SA keep state label "pass IPv4 loopback" ridentifier 1000009911
|
|
98
|
pass out on lo0 inet all flags S/SA keep state label "pass IPv4 loopback" ridentifier 1000009912
|
|
99
|
pass in on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback" ridentifier 1000009913
|
|
100
|
pass out on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback" ridentifier 1000009914
|
|
101
|
pass out inet all flags S/SA keep state allow-opts label "let out anything IPv4 from firewall host itself" ridentifier 1000009915
|
|
102
|
pass out inet6 all flags S/SA keep state allow-opts label "let out anything IPv6 from firewall host itself" ridentifier 1000009916
|
|
103
|
pass out route-to (ix3 172.21.16.1) inet from 172.21.16.170 to ! 172.21.16.0/24 flags S/SA keep state allow-opts label "let out anything from firewall host itself" ridentifier 1000010011
|
|
104
|
pass out route-to (ix2 192.168.241.1) inet from 192.168.241.10 to ! 192.168.241.0/24 flags S/SA keep state allow-opts label "let out anything from firewall host itself" ridentifier 1000010012
|
|
105
|
pass in quick on igc0 proto tcp from any to (igc0) port = https flags S/SA keep state label "anti-lockout rule" ridentifier 10001
|
|
106
|
pass in quick on igc0 proto tcp from any to (igc0) port = http flags S/SA keep state label "anti-lockout rule" ridentifier 10001
|
|
107
|
pass in quick on igc0 proto tcp from any to (igc0) port = ssh flags S/SA keep state label "anti-lockout rule" ridentifier 10001
|
|
108
|
anchor "userrules/*" all
|
|
109
|
pass in quick on ix3 reply-to (ix3 172.21.16.1) inet all flags S/SA keep state label "USER_RULE: Allow all ipv4+ipv6 via pfSsh.php" label "id:1644416432" ridentifier 1644416432
|
|
110
|
pass in quick on ix3 inet6 all flags S/SA keep state label "USER_RULE: Allow all ipv4+ipv6 via pfSsh.php" label "id:1644416432" ridentifier 1644416432
|
|
111
|
pass in quick on igc0 route-to (ix2 192.168.241.1) inet from 192.168.170.0/24 to any flags S/SA keep state label "USER_RULE: Default allow LAN to any via WAN2" label "id:1660690673" label "gw:WAN2_DHCP" ridentifier 1660690673
|
|
112
|
pass in quick on igc0 inet from 192.168.170.0/24 to any flags S/SA keep state label "USER_RULE: Default allow LAN to any rule" label "id:0100000101" ridentifier 100000101
|
|
113
|
anchor "tftp-proxy/*" all
|
|
114
|
|