|
1
|
set limit tables 3000
|
|
2
|
set limit table-entries 1200000
|
|
3
|
set optimization normal
|
|
4
|
set timeout { adaptive.start 0, adaptive.end 0 }
|
|
5
|
set limit states 4096
|
|
6
|
set limit src-nodes 4096
|
|
7
|
|
|
8
|
#System aliases
|
|
9
|
|
|
10
|
loopback = "{ lo0 }"
|
|
11
|
WAN = "{ xl0 }"
|
|
12
|
LAN = "{ xl1 }"
|
|
13
|
OpenVPN = "{ openvpn }"
|
|
14
|
|
|
15
|
#SSH Lockout Table
|
|
16
|
table <sshlockout> persist
|
|
17
|
table <webConfiguratorlockout> persist
|
|
18
|
#Snort tables
|
|
19
|
table <snort2c>
|
|
20
|
table <virusprot>
|
|
21
|
table <bogons> persist file "/etc/bogons"
|
|
22
|
table <bogonsv6> persist file "/etc/bogonsv6"
|
|
23
|
table <vpn_networks> { 192.168.2.0/24 }
|
|
24
|
table <negate_networks> { 192.168.2.0/24 }
|
|
25
|
|
|
26
|
# User Aliases
|
|
27
|
table <pfBlockerEurope> persist file "/var/db/aliastables/pfBlockerEurope.txt"
|
|
28
|
pfBlockerEurope = "<pfBlockerEurope>"
|
|
29
|
table <pfBlockerBluetackLevel1> persist file "/var/db/aliastables/pfBlockerBluetackLevel1.txt"
|
|
30
|
pfBlockerBluetackLevel1 = "<pfBlockerBluetackLevel1>"
|
|
31
|
table <pfBlockerBluetackExclusions> persist file "/var/db/aliastables/pfBlockerBluetackExclusions.txt"
|
|
32
|
pfBlockerBluetackExclusions = "<pfBlockerBluetackExclusions>"
|
|
33
|
table <pfBlockerBluetackSpiders> persist file "/var/db/aliastables/pfBlockerBluetackSpiders.txt"
|
|
34
|
pfBlockerBluetackSpiders = "<pfBlockerBluetackSpiders>"
|
|
35
|
table <pfBlockerBluetackSpyware> persist file "/var/db/aliastables/pfBlockerBluetackSpyware.txt"
|
|
36
|
pfBlockerBluetackSpyware = "<pfBlockerBluetackSpyware>"
|
|
37
|
table <pfBlockerBluetackAdPorn> persist file "/var/db/aliastables/pfBlockerBluetackAdPorn.txt"
|
|
38
|
pfBlockerBluetackAdPorn = "<pfBlockerBluetackAdPorn>"
|
|
39
|
table <pfBlockerDshieldBlockLists> persist file "/var/db/aliastables/pfBlockerDshieldBlockLists.txt"
|
|
40
|
pfBlockerDshieldBlockLists = "<pfBlockerDshieldBlockLists>"
|
|
41
|
table <AllowList> persist
|
|
42
|
AllowList = "<AllowList>"
|
|
43
|
table <Belkin_AP> { 192.168.1.3 }
|
|
44
|
Belkin_AP = "<Belkin_AP>"
|
|
45
|
table <BitTorrent_Host_IP> { 192.168.1.25 }
|
|
46
|
BitTorrent_Host_IP = "<BitTorrent_Host_IP>"
|
|
47
|
BitTorrent_Port = "{ 2020 }"
|
|
48
|
BitTorrent_WebUI_Port = "{ 8080 }"
|
|
49
|
Client_Setup_Port = "{ 2023 }"
|
|
50
|
table <Clients_Setup_Access_List> persist
|
|
51
|
Clients_Setup_Access_List = "<Clients_Setup_Access_List>"
|
|
52
|
table <Clients_Setup_HTTP_Host_IP> { 192.168.1.27 }
|
|
53
|
Clients_Setup_HTTP_Host_IP = "<Clients_Setup_HTTP_Host_IP>"
|
|
54
|
table <Clients_WSUS_Access_List> persist
|
|
55
|
Clients_WSUS_Access_List = "<Clients_WSUS_Access_List>"
|
|
56
|
table <Clients_WSUS_HTTP_Host_IP> { 192.168.1.27 }
|
|
57
|
Clients_WSUS_HTTP_Host_IP = "<Clients_WSUS_HTTP_Host_IP>"
|
|
58
|
Clients_WSUS_HTTP_Port = "{ 2022 }"
|
|
59
|
CrashPlan_Port = "{ 4242 }"
|
|
60
|
DHCP_Ports = "{ 67:68 }"
|
|
61
|
table <ESXi> { 192.168.1.10 }
|
|
62
|
ESXi = "<ESXi>"
|
|
63
|
table <FTP_Host_IP> { 192.168.1.26 }
|
|
64
|
FTP_Host_IP = "<FTP_Host_IP>"
|
|
65
|
FTP_Ports = "{ 2121 990 2009:2019 }"
|
|
66
|
table <GmailSMTP> persist
|
|
67
|
GmailSMTP = "<GmailSMTP>"
|
|
68
|
table <GoogleVoice> persist
|
|
69
|
GoogleVoice = "<GoogleVoice>"
|
|
70
|
table <MediaCenter> { 192.168.1.51 }
|
|
71
|
MediaCenter = "<MediaCenter>"
|
|
72
|
NetBIOS = "{ 135 137:139 445 }"
|
|
73
|
table <OpenVPN_Subnet> { 192.168.2.0/24 }
|
|
74
|
OpenVPN_Subnet = "<OpenVPN_Subnet>"
|
|
75
|
p2p_Generic_Port = "{ 2021 }"
|
|
76
|
table <pfSense> { 192.168.1.1 }
|
|
77
|
pfSense = "<pfSense>"
|
|
78
|
PlexMS_Port = "{ 32400 }"
|
|
79
|
table <PrivateIPv4> { 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 }
|
|
80
|
PrivateIPv4 = "<PrivateIPv4>"
|
|
81
|
table <Server> { 192.168.1.5 }
|
|
82
|
Server = "<Server>"
|
|
83
|
table <VoIP> { 192.168.1.4 }
|
|
84
|
VoIP = "<VoIP>"
|
|
85
|
table <VonageSubnets> { 64.192.11.0/24 74.116.144.0/21 216.115.16.0/20 69.59.224.0/19 }
|
|
86
|
VonageSubnets = "<VonageSubnets>"
|
|
87
|
table <Workstation> { 192.168.1.50 }
|
|
88
|
Workstation = "<Workstation>"
|
|
89
|
|
|
90
|
# Gateways
|
|
91
|
GWWanStaticGw = " route-to ( xl0 1.2.3.6 ) "
|
|
92
|
|
|
93
|
|
|
94
|
set loginterface xl1
|
|
95
|
|
|
96
|
set skip on pfsync0
|
|
97
|
|
|
98
|
scrub on $WAN all no-df fragment reassemble
|
|
99
|
scrub on $LAN all no-df fragment reassemble
|
|
100
|
|
|
101
|
altq on xl0 priq bandwidth 1436Kb queue { qCritical, qVoIP, qHigh, qMedium, qMedLow, qLow, qHigh_NoECN, qCritical_NoECN, qLow_NoECN }
|
|
102
|
queue qCritical on xl0 priority 15 priq ( ecn )
|
|
103
|
queue qVoIP on xl0 priority 13
|
|
104
|
queue qHigh on xl0 priority 10 priq ( ecn )
|
|
105
|
queue qMedium on xl0 priority 7 priq ( ecn )
|
|
106
|
queue qMedLow on xl0 priority 4 priq ( ecn )
|
|
107
|
queue qLow on xl0 priority 2 priq ( ecn , default )
|
|
108
|
queue qHigh_NoECN on xl0 priority 11
|
|
109
|
queue qCritical_NoECN on xl0 priority 14
|
|
110
|
queue qLow_NoECN on xl0 priority 1
|
|
111
|
|
|
112
|
altq on xl1 priq bandwidth 100Mb queue { qDefaultDown }
|
|
113
|
queue qDefaultDown on xl1 priority 15 priq ( default )
|
|
114
|
|
|
115
|
|
|
116
|
no nat proto carp
|
|
117
|
no rdr proto carp
|
|
118
|
nat-anchor "natearly/*"
|
|
119
|
nat-anchor "natrules/*"
|
|
120
|
|
|
121
|
|
|
122
|
# Outbound NAT rules
|
|
123
|
|
|
124
|
# Subnets to NAT
|
|
125
|
tonatsubnets = "{ 192.168.1.0/24 192.168.2.0/24 127.0.0.0/8 0.0.0.0 }"
|
|
126
|
nat on $WAN from $tonatsubnets port 500 to any port 500 -> 1.2.3.4/32 port 500
|
|
127
|
nat on $WAN from $tonatsubnets to any -> 1.2.3.4/32 port 1024:65535
|
|
128
|
|
|
129
|
|
|
130
|
# Load balancing anchor
|
|
131
|
rdr-anchor "relayd/*"
|
|
132
|
# TFTP proxy
|
|
133
|
rdr-anchor "tftp-proxy/*"
|
|
134
|
# NAT Inbound Redirects
|
|
135
|
rdr on xl0 proto tcp from any to 1.2.3.4 port $FTP_Ports -> $FTP_Host_IP
|
|
136
|
rdr on xl0 proto tcp from $Clients_WSUS_Access_List to 1.2.3.4 port $Clients_WSUS_HTTP_Port -> $Clients_WSUS_HTTP_Host_IP
|
|
137
|
rdr on xl0 proto tcp from $Clients_Setup_Access_List to 1.2.3.4 port $Client_Setup_Port -> $Clients_Setup_HTTP_Host_IP
|
|
138
|
rdr on xl1 proto { tcp udp } from $Belkin_AP to 208.184.49.9 port 123 -> $pfSense
|
|
139
|
rdr on xl0 proto tcp from any to 1.2.3.4 port $BitTorrent_WebUI_Port -> $BitTorrent_Host_IP
|
|
140
|
rdr on xl0 proto { tcp udp } from any to 1.2.3.4 port $BitTorrent_Port -> $BitTorrent_Host_IP
|
|
141
|
rdr on xl0 proto { tcp udp } from any to 1.2.3.4 port $p2p_Generic_Port -> $Server
|
|
142
|
rdr on xl0 proto { tcp udp } from any to 1.2.3.4 port $PlexMS_Port -> $MediaCenter
|
|
143
|
# UPnPd rdr anchor
|
|
144
|
rdr-anchor "miniupnpd"
|
|
145
|
|
|
146
|
anchor "relayd/*"
|
|
147
|
anchor "openvpn/*"
|
|
148
|
anchor "ipsec/*"
|
|
149
|
#---------------------------------------------------------------------------
|
|
150
|
# default deny rules
|
|
151
|
#---------------------------------------------------------------------------
|
|
152
|
block in inet all label "Default deny rule IPv4"
|
|
153
|
block out inet all label "Default deny rule IPv4"
|
|
154
|
block in inet6 all label "Default deny rule IPv6"
|
|
155
|
block out inet6 all label "Default deny rule IPv6"
|
|
156
|
|
|
157
|
# IPv6 ICMP is not auxilary, it is required for operation
|
|
158
|
# See man icmp6(4)
|
|
159
|
# 1 unreach Destination unreachable
|
|
160
|
# 2 toobig Packet too big
|
|
161
|
# 128 echoreq Echo service request
|
|
162
|
# 129 echorep Echo service reply
|
|
163
|
# 133 routersol Router solicitation
|
|
164
|
# 134 routeradv Router advertisement
|
|
165
|
# 135 neighbrsol Neighbor solicitation
|
|
166
|
# 136 neighbradv Neighbor advertisement
|
|
167
|
pass quick inet6 proto ipv6-icmp from any to any icmp6-type {1,2,135,136} keep state
|
|
168
|
|
|
169
|
# Allow only bare essential icmpv6 packets (NS, NA, and RA, echoreq, echorep)
|
|
170
|
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {129,133,134,135,136} keep state
|
|
171
|
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {129,133,134,135,136} keep state
|
|
172
|
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {128,133,134,135,136} keep state
|
|
173
|
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type {128,133,134,135,136} keep state
|
|
174
|
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {128,133,134,135,136} keep state
|
|
175
|
|
|
176
|
# We use the mighty pf, we cannot be fooled.
|
|
177
|
block quick inet proto { tcp, udp } from any port = 0 to any
|
|
178
|
block quick inet proto { tcp, udp } from any to any port = 0
|
|
179
|
block quick inet6 proto { tcp, udp } from any port = 0 to any
|
|
180
|
block quick inet6 proto { tcp, udp } from any to any port = 0
|
|
181
|
|
|
182
|
|
|
183
|
# Snort package
|
|
184
|
block quick from <snort2c> to any label "Block snort2c hosts"
|
|
185
|
block quick from any to <snort2c> label "Block snort2c hosts"
|
|
186
|
|
|
187
|
|
|
188
|
# SSH lockout
|
|
189
|
block in log quick proto tcp from <sshlockout> to any port 22 label "sshlockout"
|
|
190
|
|
|
191
|
# webConfigurator lockout
|
|
192
|
block in log quick proto tcp from <webConfiguratorlockout> to any port 80 label "webConfiguratorlockout"
|
|
193
|
block in quick from <virusprot> to any label "virusprot overload table"
|
|
194
|
antispoof for xl0
|
|
195
|
antispoof for xl1
|
|
196
|
# allow access to DHCP server on LAN
|
|
197
|
pass in quick on $LAN proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server"
|
|
198
|
pass in quick on $LAN proto udp from any port = 68 to 192.168.1.1 port = 67 label "allow access to DHCP server"
|
|
199
|
pass out quick on $LAN proto udp from 192.168.1.1 port = 67 to any port = 68 label "allow access to DHCP server"
|
|
200
|
|
|
201
|
# loopback
|
|
202
|
pass in on $loopback inet all label "pass IPv4 loopback"
|
|
203
|
pass out on $loopback inet all label "pass IPv4 loopback"
|
|
204
|
pass in on $loopback inet6 all label "pass IPv6 loopback"
|
|
205
|
pass out on $loopback inet6 all label "pass IPv6 loopback"
|
|
206
|
# let out anything from the firewall host itself and decrypted IPsec traffic
|
|
207
|
pass out inet all keep state allow-opts label "let out anything IPv4 from firewall host itself"
|
|
208
|
pass out inet6 all keep state allow-opts label "let out anything IPv6 from firewall host itself"
|
|
209
|
pass out route-to ( xl0 1.2.3.6 ) from 1.2.3.4 to !1.2.3.0/23 keep state allow-opts label "let out anything from firewall host itself"
|
|
210
|
|
|
211
|
# User-defined rules follow
|
|
212
|
|
|
213
|
anchor "userrules/*"
|
|
214
|
match inet proto udp from any to any queue (qLow_NoECN) label "USER_RULE: Any UDP Traffic -> Low No ECN Default"
|
|
215
|
match proto udp from $GoogleVoice to any queue (qVoIP) label "USER_RULE: Google Voice -> VoIP"
|
|
216
|
match proto udp from any to $GoogleVoice queue (qVoIP) label "USER_RULE: Google Voice -> VoIP"
|
|
217
|
match proto udp from $VonageSubnets to any queue (qVoIP) label "USER_RULE: Vonage ARIN Registered Subnets -> VoIP"
|
|
218
|
match proto udp from any to $VonageSubnets queue (qVoIP) label "USER_RULE: Vonage ARIN Registered Subnets -> VoIP"
|
|
219
|
match proto { tcp udp } from $VoIP to any queue (qVoIP) label "USER_RULE: VoIP Adapter -> VoIP"
|
|
220
|
match proto { tcp udp } from any to $VoIP queue (qVoIP) label "USER_RULE: VoIP Adapter -> VoIP"
|
|
221
|
match on { xl0 } inet proto udp from any to any port 1194 queue (qHigh_NoECN) label "USER_RULE: OpenVPN -> High"
|
|
222
|
match on { xl0 } proto tcp from any to any port 993 flags S/SA queue (qHigh,qCritical) label "USER_RULE: IMAP SSL -> High"
|
|
223
|
match on { xl0 } proto tcp from any to any port 587 flags S/SA queue (qHigh,qCritical) label "USER_RULE: SMTP TLS -> High"
|
|
224
|
match on { xl0 } inet proto udp from any to any port 500 queue (qHigh_NoECN) label "USER_RULE: ISAKMP (IPsec SA) -> High"
|
|
225
|
match on { xl0 } proto tcp from any to any port 465 flags S/SA queue (qHigh,qCritical) label "USER_RULE: SMTP SSL -> High"
|
|
226
|
match on { xl0 } proto tcp from any to any port 443 flags S/SA queue (qHigh,qCritical) label "USER_RULE: HTTPS -> High"
|
|
227
|
match on { xl0 } proto tcp from any to any port 143 flags S/SA queue (qHigh,qCritical) label "USER_RULE: IMAP -> High"
|
|
228
|
match on { xl0 } inet proto udp from any to any port 123 queue (qHigh_NoECN,qCritical_NoECN) label "USER_RULE: NTP -> High"
|
|
229
|
match on { xl0 } proto tcp from any to any port 80 flags S/SA queue (qHigh,qCritical) label "USER_RULE: HTTP -> High"
|
|
230
|
match on { xl0 } inet proto tcp from any to any port 53 flags S/SA queue (qHigh,qCritical) label "USER_RULE: DNS TCP -> High"
|
|
231
|
match on { xl0 } inet proto udp from any to any port 53 queue (qHigh_NoECN,qCritical_NoECN) label "USER_RULE: DNS UDP -> High"
|
|
232
|
match on { xl0 } proto tcp from any to any port 25 flags S/SA queue (qHigh,qCritical) label "USER_RULE: SMTP -> High"
|
|
233
|
match on { xl0 } proto tcp from any to any port 23 flags S/SA queue (qHigh,qCritical) label "USER_RULE: Telnet -> High"
|
|
234
|
match on { xl0 } proto tcp from any to any port 22 flags S/SA queue (qHigh,qCritical) label "USER_RULE: SSH -> High"
|
|
235
|
match on { xl0 } proto tcp from any to any port 21 flags S/SA queue (qHigh,qCritical) label "USER_RULE: FTP -> High"
|
|
236
|
match inet proto tcp from any to any port $CrashPlan_Port dscp af11 flags S/SA queue (qMedLow) label "USER_RULE: CrashPlan to Friends - AF11 (DSCP 10) -> Medium Low"
|
|
237
|
match inet proto tcp from any to any port 443 dscp af11 flags S/SA queue (qMedLow) label "USER_RULE: CrashPlan - AF11 (DSCP 10) -> Medium Low"
|
|
238
|
match on { xl0 } proto gre from any to any queue (qHigh) label "USER_RULE: Generic Route Encapsulation -> High"
|
|
239
|
match on { xl0 } proto ah from any to any queue (qHigh) label "USER_RULE: Authentication Header -> High"
|
|
240
|
match on { xl0 } proto esp from any to any queue (qHigh) label "USER_RULE: Encapsulating Security Payload -> High"
|
|
241
|
match inet proto tcp from $BitTorrent_Host_IP to any flags S/SA queue (qLow) label "USER_RULE: BitTorrent Server -> Low"
|
|
242
|
match inet proto udp from $BitTorrent_Host_IP to any queue (qLow_NoECN) label "USER_RULE: BitTorrent Server -> Low"
|
|
243
|
match inet proto tcp from any to $BitTorrent_Host_IP flags S/SA queue (qLow) label "USER_RULE: BitTorrent Server -> Low"
|
|
244
|
match inet proto udp from any to $BitTorrent_Host_IP queue (qLow_NoECN) label "USER_RULE: BitTorrent Server -> Low"
|
|
245
|
match proto tcp from $BitTorrent_Host_IP port $BitTorrent_WebUI_Port to any flags S/SA queue (qHigh) label "USER_RULE: BitTorrent Client WebUI -> High"
|
|
246
|
match proto tcp from any to $BitTorrent_Host_IP port $BitTorrent_WebUI_Port flags S/SA queue (qHigh) label "USER_RULE: BitTorrent Client WebUI -> High"
|
|
247
|
match inet proto { tcp udp } from $MediaCenter port $PlexMS_Port to any queue (qHigh) label "USER_RULE: Plex Media Server -> High"
|
|
248
|
match inet proto { tcp udp } from any to $MediaCenter port $PlexMS_Port queue (qHigh) label "USER_RULE: Plex Media Server -> High"
|
|
249
|
match proto { tcp udp } from $FTP_Host_IP to any queue (qMedium) label "USER_RULE: FTP Server -> Medium"
|
|
250
|
match proto { tcp udp } from any to $FTP_Host_IP queue (qMedium) label "USER_RULE: FTP Server -> Medium"
|
|
251
|
match inet proto tcp from $Clients_Setup_HTTP_Host_IP port $Client_Setup_Port to any flags S/SA queue (qMedium) label "USER_RULE: Clients Setup HTTP Server -> Medium"
|
|
252
|
match inet proto tcp from any to $Clients_Setup_HTTP_Host_IP port $Client_Setup_Port flags S/SA queue (qMedium) label "USER_RULE: Clients Setup HTTP Server -> Medium"
|
|
253
|
match inet proto tcp from $Clients_WSUS_HTTP_Host_IP port $Clients_WSUS_HTTP_Port to any flags S/SA queue (qHigh) label "USER_RULE: Client WSUS HTTP Server -> High"
|
|
254
|
match inet proto tcp from any to $Clients_WSUS_HTTP_Host_IP port $Clients_WSUS_HTTP_Port flags S/SA queue (qHigh) label "USER_RULE: Client WSUS HTTP Server -> High"
|
|
255
|
match on { xl0 } inet proto icmp from any to any queue (qCritical_NoECN) label "USER_RULE: ICMP Packets -> Critical"
|
|
256
|
pass in quick on $OpenVPN from $OpenVPN_Subnet to 192.168.1.0/24 label "USER_RULE: Allow OpenVPN Clients to LAN"
|
|
257
|
block in quick on $WAN reply-to ( xl0 1.2.3.6 ) inet from $pfBlockerDshieldBlockLists to any label "USER_RULE: Apply Dshield Blocklist to All Traffic"
|
|
258
|
block in quick on $WAN reply-to ( xl0 1.2.3.6 ) inet from $pfBlockerBluetackLevel1 to $BitTorrent_Host_IP label "USER_RULE: Apply Blocklist to BitTorrent Traffic"
|
|
259
|
block in quick on $WAN reply-to ( xl0 1.2.3.6 ) inet from $pfBlockerBluetackSpiders to $BitTorrent_Host_IP label "USER_RULE: Apply Blocklist to BitTorrent Traffic"
|
|
260
|
block in quick on $WAN reply-to ( xl0 1.2.3.6 ) inet from $pfBlockerBluetackSpyware to $BitTorrent_Host_IP label "USER_RULE: Apply Blocklist to BitTorrent Traffic"
|
|
261
|
block in quick on $WAN reply-to ( xl0 1.2.3.6 ) inet from $pfBlockerBluetackAdPorn to $BitTorrent_Host_IP label "USER_RULE: Apply Blocklist to BitTorrent Traffic"
|
|
262
|
pass in quick on $WAN reply-to ( xl0 1.2.3.6 ) proto icmp from any to any label "USER_RULE: Allow ICMP"
|
|
263
|
pass in quick on $WAN reply-to ( xl0 1.2.3.6 ) inet proto udp from any to any port 1194 label "USER_RULE: Allow OpenVPN"
|
|
264
|
pass in quick on $WAN reply-to ( xl0 1.2.3.6 ) proto tcp from any to $FTP_Host_IP port $FTP_Ports flags S/SA keep state label "USER_RULE: NAT FTP Server"
|
|
265
|
pass in quick on $WAN reply-to ( xl0 1.2.3.6 ) proto tcp from $Clients_WSUS_Access_List to $Clients_WSUS_HTTP_Host_IP port $Clients_WSUS_HTTP_Port flags S/SA keep state label "USER_RULE: NAT Client WSUS HTTP Server"
|
|
266
|
pass in quick on $WAN reply-to ( xl0 1.2.3.6 ) proto tcp from $Clients_Setup_Access_List to $Clients_Setup_HTTP_Host_IP port $Client_Setup_Port flags S/SA keep state label "USER_RULE: NAT Client Setup HTTP Server"
|
|
267
|
pass in quick on $WAN reply-to ( xl0 1.2.3.6 ) proto tcp from any to $BitTorrent_Host_IP port $BitTorrent_WebUI_Port flags S/SA keep state label "USER_RULE: NAT BitTorrent Client WebUI"
|
|
268
|
pass in quick on $WAN reply-to ( xl0 1.2.3.6 ) inet proto { tcp udp } from any to $BitTorrent_Host_IP port $BitTorrent_Port label "USER_RULE: NAT BitTorrent Client"
|
|
269
|
pass in quick on $WAN reply-to ( xl0 1.2.3.6 ) proto { tcp udp } from any to $Server port $p2p_Generic_Port label "USER_RULE: NAT Limewire / eMule / old school P2P Clients"
|
|
270
|
pass in quick on $WAN reply-to ( xl0 1.2.3.6 ) proto { tcp udp } from any to $MediaCenter port $PlexMS_Port label "USER_RULE: NAT Plex Media Server"
|
|
271
|
block return in quick on $LAN proto { tcp udp } from any to ! $PrivateIPv4 port $NetBIOS label "USER_RULE: Reject Internet Bound NetBIOS"
|
|
272
|
block return in quick on $LAN inet from $pfBlockerDshieldBlockLists to any label "USER_RULE: Apply Dshield Blocklist to All Traffic"
|
|
273
|
block return in quick on $LAN inet from $BitTorrent_Host_IP to $pfBlockerBluetackLevel1 label "USER_RULE: Apply Blocklist to BitTorrent Traffic"
|
|
274
|
block return in quick on $LAN inet from $BitTorrent_Host_IP to $pfBlockerBluetackSpiders label "USER_RULE: Apply Blocklist to BitTorrent Traffic"
|
|
275
|
block return in quick on $LAN inet from $BitTorrent_Host_IP to $pfBlockerBluetackSpyware label "USER_RULE: Apply Blocklist to BitTorrent Traffic"
|
|
276
|
block return in quick on $LAN inet from $BitTorrent_Host_IP to $pfBlockerBluetackAdPorn label "USER_RULE: Apply Blocklist to BitTorrent Traffic"
|
|
277
|
pass in quick on $LAN inet from $BitTorrent_Host_IP to ! $PrivateIPv4 label "USER_RULE: Session Limit BitTorrent Internet Traffic"
|
|
278
|
pass in quick on $LAN inet from 192.168.1.0/24 to $PrivateIPv4 label "USER_RULE: LAN to any Private IPv4 - No Session Limit"
|
|
279
|
pass in quick on $LAN inet from 192.168.1.0/24 to ! $PrivateIPv4 label "USER_RULE: Session Limit Internet Traffic"
|
|
280
|
|
|
281
|
# VPN Rules
|
|
282
|
anchor "tftp-proxy/*"
|
|
283
|
|
