#System aliases loopback = "{ lo0 }" WAN = "{ re1 }" LAN = "{ re0 }" OPT1 = "{ re2 }" #SSH Lockout Table table persist #Snort2C table table table # User Aliases # Gateways GWMgmtNetworkGateway = " route-to ( re0 10.110.0.4 ) " GWwan = " " set loginterface re1 set loginterface re0 set loginterface re2 set optimization normal set limit states 198000 set skip on pfsync0 scrub in on $WAN all max-mss -39 fragment reassemble scrub in on $LAN all fragment reassemble scrub in on $OPT1 all fragment reassemble nat-anchor "natearly/*" nat-anchor "natrules/*" # Outbound NAT rules # Subnets to NAT tonatsubnets = "{ 10.110.0.0/24 10.110.19.0/24 }" nat on $WAN from $tonatsubnets port 500 to any port 500 -> 10.110.119.7/32 port 500 nat on $WAN from $tonatsubnets port 5060 to any port 5060 -> 10.110.119.7/32 port 5060 nat on $WAN from $tonatsubnets to any -> 10.110.119.7/32 port 1024:65535 # Load balancing anchor rdr-anchor "relayd/*" # TFTP proxy rdr-anchor "tftp-proxy/*" table { 10.110.119.0/24 10.110.0.0/24 10.110.19.0/24 } # UPnPd rdr anchor rdr-anchor "miniupnpd" anchor "relayd/*" anchor "firewallrules" #--------------------------------------------------------------------------- # default deny rules #--------------------------------------------------------------------------- block in log all label "Default deny rule" block out log all label "Default deny rule" # We use the mighty pf, we cannot be fooled. block quick proto { tcp, udp } from any port = 0 to any block quick proto { tcp, udp } from any to any port = 0 # Block all IPv6 block in quick inet6 all block out quick inet6 all # snort2c block quick from to any label "Block snort2c hosts" block quick from any to label "Block snort2c hosts" # package manager early specific hook anchor "packageearly" # carp anchor "carp" # SSH lockout block in log quick proto tcp from to any port 22 label "sshlockout" block in quick from to any label "virusprot overload table" table persist file "/etc/bogons" # block bogon networks # http://www.cymru.com/Documents/bogon-bn-nonagg.txt anchor "wanbogons" block in log quick on $WAN from to any label "block bogon networks from WAN" antispoof for re1 antispoof for re0 antispoof for re2 anchor "spoofing" # loopback anchor "loopback" pass in on $loopback all label "pass loopback" pass out on $loopback all label "pass loopback" anchor "firewallout" # let out anything from the firewall host itself and decrypted IPsec traffic pass out all keep state allow-opts label "let out anything from firewall host itself" # make sure the user cannot lock himself out of the webConfigurator or SSH anchor "anti-lockout" pass in quick on re0 from any to (re0) keep state label "anti-lockout rule" # NAT Reflection rules # User-defined rules follow pass in quick on $LAN from 10.110.0.0/24 to any keep state label "USER_RULE: Default allow LAN to any rule" # VPN Rules # package manager late specific hook anchor "packagelate" anchor "tftp-proxy/*" anchor "limitingesr" # uPnPd anchor "miniupnpd"