|
1
|
set hostid 0x6d1e6c6f
|
|
2
|
set limit table-entries 400000
|
|
3
|
set optimization normal
|
|
4
|
set limit states 805000
|
|
5
|
set limit src-nodes 805000
|
|
6
|
|
|
7
|
#System aliases
|
|
8
|
|
|
9
|
loopback = "{ lo0 }"
|
|
10
|
WAN = "{ ix3 }"
|
|
11
|
LAN = "{ igc0 }"
|
|
12
|
WAN2 = "{ ix2 }"
|
|
13
|
WAN3 = "{ ix0 }"
|
|
14
|
WAN4 = "{ ix1 }"
|
|
15
|
LAN2 = "{ igc1 }"
|
|
16
|
LAN3 = "{ igc2 }"
|
|
17
|
LAN4 = "{ igc3 }"
|
|
18
|
WIFI0 = "{ ath0_wlan0 }"
|
|
19
|
|
|
20
|
#SSH Lockout Table
|
|
21
|
table <sshguard> persist
|
|
22
|
#Snort tables
|
|
23
|
table <snort2c>
|
|
24
|
table <virusprot>
|
|
25
|
table <bogons> persist file "/etc/bogons"
|
|
26
|
table <negate_networks>
|
|
27
|
|
|
28
|
# User Aliases
|
|
29
|
|
|
30
|
# Gateways
|
|
31
|
GWWAN_DHCP = " route-to ( ix3 172.21.16.1 ) "
|
|
32
|
GWWAN2_DHCP = " route-to ( ix2 192.168.241.1 ) "
|
|
33
|
GWFailover = " route-to { ( ix3 172.21.16.1 ) } "
|
|
34
|
|
|
35
|
|
|
36
|
set loginterface igc0
|
|
37
|
|
|
38
|
set skip on pfsync0
|
|
39
|
set keepcounters
|
|
40
|
|
|
41
|
scrub on $WAN inet all fragment reassemble
|
|
42
|
scrub on $WAN inet6 all fragment reassemble
|
|
43
|
scrub on $LAN inet all fragment reassemble
|
|
44
|
scrub on $LAN inet6 all fragment reassemble
|
|
45
|
scrub on $WAN2 inet all fragment reassemble
|
|
46
|
scrub on $WAN2 inet6 all fragment reassemble
|
|
47
|
scrub on $WAN3 inet all fragment reassemble
|
|
48
|
scrub on $WAN3 inet6 all fragment reassemble
|
|
49
|
scrub on $WAN4 inet all fragment reassemble
|
|
50
|
scrub on $WAN4 inet6 all fragment reassemble
|
|
51
|
scrub on $LAN2 inet all fragment reassemble
|
|
52
|
scrub on $LAN2 inet6 all fragment reassemble
|
|
53
|
scrub on $LAN3 inet all fragment reassemble
|
|
54
|
scrub on $LAN3 inet6 all fragment reassemble
|
|
55
|
scrub on $LAN4 inet all fragment reassemble
|
|
56
|
scrub on $LAN4 inet6 all fragment reassemble
|
|
57
|
scrub on $WIFI0 inet all fragment reassemble
|
|
58
|
scrub on $WIFI0 inet6 all fragment reassemble
|
|
59
|
|
|
60
|
|
|
61
|
no nat proto carp
|
|
62
|
no rdr proto carp
|
|
63
|
binat-anchor "miniupnpd"
|
|
64
|
nat-anchor "miniupnpd"
|
|
65
|
nat-anchor "natearly/*"
|
|
66
|
nat-anchor "natrules/*"
|
|
67
|
|
|
68
|
|
|
69
|
# Outbound NAT rules (automatic)
|
|
70
|
|
|
71
|
# Subnets to NAT
|
|
72
|
tonatsubnets = "{ 127.0.0.0/8 ::1/128 192.168.170.0/24 }"
|
|
73
|
nat on $WAN inet from $tonatsubnets to any port 500 -> 172.21.16.170/32 static-port
|
|
74
|
nat on $WAN inet6 from $tonatsubnets to any port 500 -> (ix3) static-port
|
|
75
|
nat on $WAN inet from $tonatsubnets to any -> 172.21.16.170/32 port 1024:65535
|
|
76
|
nat on $WAN inet6 from $tonatsubnets to any -> (ix3) port 1024:65535
|
|
77
|
nat on $WAN2 inet from $tonatsubnets to any port 500 -> 192.168.241.10/32 static-port
|
|
78
|
nat on $WAN2 inet6 from $tonatsubnets to any port 500 -> (ix2) static-port
|
|
79
|
nat on $WAN2 inet from $tonatsubnets to any -> 192.168.241.10/32 port 1024:65535
|
|
80
|
nat on $WAN2 inet6 from $tonatsubnets to any -> (ix2) port 1024:65535
|
|
81
|
# TFTP proxy
|
|
82
|
rdr-anchor "tftp-proxy/*"
|
|
83
|
# UPnPd rdr anchor
|
|
84
|
rdr-anchor "miniupnpd"
|
|
85
|
|
|
86
|
anchor "openvpn/*"
|
|
87
|
anchor "ipsec/*"
|
|
88
|
# block IPv4 link-local. Per RFC 3927, link local "MUST NOT" be forwarded by a routing device,
|
|
89
|
# and clients "MUST NOT" send such packets to a router. FreeBSD won't route 169.254./16, but
|
|
90
|
# route-to can override that, causing problems such as in redmine #2073
|
|
91
|
block in log quick from 169.254.0.0/16 to any ridentifier 1000000101 label "Block IPv4 link-local"
|
|
92
|
block in log quick from any to 169.254.0.0/16 ridentifier 1000000102 label "Block IPv4 link-local"
|
|
93
|
#---------------------------------------------------------------------------
|
|
94
|
# default deny rules
|
|
95
|
#---------------------------------------------------------------------------
|
|
96
|
block in log inet all ridentifier 1000000103 label "Default deny rule IPv4"
|
|
97
|
block out log inet all ridentifier 1000000104 label "Default deny rule IPv4"
|
|
98
|
block in log inet6 all ridentifier 1000000105 label "Default deny rule IPv6"
|
|
99
|
block out log inet6 all ridentifier 1000000106 label "Default deny rule IPv6"
|
|
100
|
|
|
101
|
# IPv6 ICMP is not auxiliary, it is required for operation
|
|
102
|
# See man icmp6(4)
|
|
103
|
# 1 unreach Destination unreachable
|
|
104
|
# 2 toobig Packet too big
|
|
105
|
# 128 echoreq Echo service request
|
|
106
|
# 129 echorep Echo service reply
|
|
107
|
# 133 routersol Router solicitation
|
|
108
|
# 134 routeradv Router advertisement
|
|
109
|
# 135 neighbrsol Neighbor solicitation
|
|
110
|
# 136 neighbradv Neighbor advertisement
|
|
111
|
pass quick inet6 proto ipv6-icmp from any to any icmp6-type {1,2,135,136} ridentifier 1000000107 keep state
|
|
112
|
|
|
113
|
# Allow only bare essential icmpv6 packets (NS, NA, and RA, echoreq, echorep)
|
|
114
|
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {129,133,134,135,136} ridentifier 1000000108 keep state
|
|
115
|
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {129,133,134,135,136} ridentifier 1000000109 keep state
|
|
116
|
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {128,133,134,135,136} ridentifier 1000000110 keep state
|
|
117
|
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type {128,133,134,135,136} ridentifier 1000000111 keep state
|
|
118
|
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {128,133,134,135,136} ridentifier 1000000112 keep state
|
|
119
|
pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type {128,133,134,135,136} ridentifier 1000000113 keep state
|
|
120
|
# We use the mighty pf, we cannot be fooled.
|
|
121
|
block log quick inet proto { tcp, udp } from any port = 0 to any ridentifier 1000000114 label "Block traffic from port 0"
|
|
122
|
block log quick inet proto { tcp, udp } from any to any port = 0 ridentifier 1000000115 label "Block traffic to port 0"
|
|
123
|
block log quick inet6 proto { tcp, udp } from any port = 0 to any ridentifier 1000000116 label "Block traffic from port 0"
|
|
124
|
block log quick inet6 proto { tcp, udp } from any to any port = 0 ridentifier 1000000117 label "Block traffic to port 0"
|
|
125
|
|
|
126
|
# Snort package
|
|
127
|
block log quick from <snort2c> to any ridentifier 1000000118 label "Block snort2c hosts"
|
|
128
|
block log quick from any to <snort2c> ridentifier 1000000119 label "Block snort2c hosts"
|
|
129
|
|
|
130
|
# SSH lockout
|
|
131
|
block in log quick proto tcp from <sshguard> to (self) port 22 ridentifier 1000000301 label "sshguard"
|
|
132
|
|
|
133
|
# webConfigurator lockout
|
|
134
|
block in log quick proto tcp from <sshguard> to (self) port 443 ridentifier 1000000351 label "GUI Lockout"
|
|
135
|
block in log quick from <virusprot> to any ridentifier 1000000400 label "virusprot overload table"
|
|
136
|
# allow our DHCP client out to the WAN
|
|
137
|
pass in quick on $WAN proto udp from any port = 67 to any port = 68 ridentifier 1000000461 label "allow dhcp client out WAN"
|
|
138
|
pass out quick on $WAN proto udp from any port = 68 to any port = 67 ridentifier 1000000462 label "allow dhcp client out WAN"
|
|
139
|
# Not installing DHCP server firewall rules for WAN which is configured for DHCP.
|
|
140
|
# allow our DHCPv6 client out to the WAN
|
|
141
|
pass in quick on $WAN proto udp from fe80::/10 port = 546 to fe80::/10 port = 546 ridentifier 1000000463 label "allow dhcpv6 client in WAN"
|
|
142
|
pass in quick on $WAN proto udp from any port = 547 to any port = 546 ridentifier 1000000464 label "allow dhcpv6 client in WAN"
|
|
143
|
# Add Priority to dhcp6c packets if enabled
|
|
144
|
pass out quick on $WAN proto udp from any port = 546 to any port = 547 ridentifier 1000000465 label "allow dhcpv6 client out WAN"
|
|
145
|
antispoof log for $WAN ridentifier 1000001470
|
|
146
|
antispoof log for $LAN ridentifier 1000002520
|
|
147
|
# allow access to DHCP server on LAN
|
|
148
|
pass in quick on $LAN proto udp from any port = 68 to 255.255.255.255 port = 67 ridentifier 1000002541 label "allow access to DHCP server"
|
|
149
|
pass in quick on $LAN proto udp from any port = 68 to 192.168.170.1 port = 67 ridentifier 1000002542 label "allow access to DHCP server"
|
|
150
|
pass out quick on $LAN proto udp from 192.168.170.1 port = 67 to any port = 68 ridentifier 1000002543 label "allow access to DHCP server"
|
|
151
|
# allow access to DHCPv6 server on LAN
|
|
152
|
# We need inet6 icmp for stateless autoconfig and dhcpv6
|
|
153
|
pass quick on $LAN inet6 proto udp from fe80::/10 to fe80::/10 port = 546 ridentifier 1000002551 label "allow access to DHCPv6 server"
|
|
154
|
pass quick on $LAN inet6 proto udp from fe80::/10 to ff02::/16 port = 546 ridentifier 1000002552 label "allow access to DHCPv6 server"
|
|
155
|
pass quick on $LAN inet6 proto udp from fe80::/10 to ff02::/16 port = 547 ridentifier 1000002553 label "allow access to DHCPv6 server"
|
|
156
|
pass quick on $LAN inet6 proto udp from ff02::/16 to fe80::/10 port = 547 ridentifier 1000002554 label "allow access to DHCPv6 server"
|
|
157
|
# allow our DHCP client out to the WAN2
|
|
158
|
pass in quick on $WAN2 proto udp from any port = 67 to any port = 68 ridentifier 1000002561 label "allow dhcp client out WAN2"
|
|
159
|
pass out quick on $WAN2 proto udp from any port = 68 to any port = 67 ridentifier 1000002562 label "allow dhcp client out WAN2"
|
|
160
|
# Not installing DHCP server firewall rules for WAN2 which is configured for DHCP.
|
|
161
|
antispoof log for $WAN2 ridentifier 1000003570
|
|
162
|
|
|
163
|
# loopback
|
|
164
|
pass in on $loopback inet all ridentifier 1000009911 label "pass IPv4 loopback"
|
|
165
|
pass out on $loopback inet all ridentifier 1000009912 label "pass IPv4 loopback"
|
|
166
|
pass in on $loopback inet6 all ridentifier 1000009913 label "pass IPv6 loopback"
|
|
167
|
pass out on $loopback inet6 all ridentifier 1000009914 label "pass IPv6 loopback"
|
|
168
|
# let out anything from the firewall host itself and decrypted IPsec traffic
|
|
169
|
pass out inet all keep state allow-opts ridentifier 1000009915 label "let out anything IPv4 from firewall host itself"
|
|
170
|
pass out inet6 all keep state allow-opts ridentifier 1000009916 label "let out anything IPv6 from firewall host itself"
|
|
171
|
|
|
172
|
pass out route-to ( ix3 172.21.16.1 ) from 172.21.16.170 to !172.21.16.0/24 ridentifier 1000010011 keep state allow-opts label "let out anything from firewall host itself"
|
|
173
|
pass out route-to ( ix2 192.168.241.1 ) from 192.168.241.10 to !192.168.241.0/24 ridentifier 1000010012 keep state allow-opts label "let out anything from firewall host itself"
|
|
174
|
# make sure the user cannot lock himself out of the webConfigurator or SSH
|
|
175
|
pass in quick on igc0 proto tcp from any to (igc0) port { 443 80 22 } ridentifier 10001 keep state label "anti-lockout rule"
|
|
176
|
|
|
177
|
# User-defined rules follow
|
|
178
|
|
|
179
|
anchor "userrules/*"
|
|
180
|
pass in quick on $WAN reply-to ( ix3 172.21.16.1 ) inet from any to any ridentifier 1644416432 keep state label "USER_RULE: Allow all ipv4+ipv6 via pfSsh.php" label "id:1644416432"
|
|
181
|
pass in quick on $WAN inet6 from any to any ridentifier 1644416432 keep state label "USER_RULE: Allow all ipv4+ipv6 via pfSsh.php" label "id:1644416432"
|
|
182
|
pass in quick on $LAN $GWWAN2_DHCP inet from 192.168.170.0/24 to any ridentifier 1660690673 keep state label "USER_RULE: Default allow LAN to any via WAN2" label "id:1660690673" label "gw:WAN2_DHCP"
|
|
183
|
pass in quick on $LAN inet from 192.168.170.0/24 to any ridentifier 0100000101 keep state label "USER_RULE: Default allow LAN to any rule" label "id:0100000101"
|
|
184
|
# source address is empty. label "USER_RULE: Default allow LAN IPv6 to any rule"
|
|
185
|
|
|
186
|
# VPN Rules
|
|
187
|
|
|
188
|
anchor "tftp-proxy/*"
|
|
189
|
|
|
190
|
|