#System aliases loopback = "{ lo0 }" WAN = "{ vr2 }" LAN = "{ vr0 }" #SSH Lockout Table table persist #Snort2C table table table # User Aliases # Gateways GWwan = " route-to ( vr2 88.166.209.254 ) " set loginterface vr2 set loginterface vr0 set optimization normal set limit states 23000 set skip on pfsync0 scrub in on $WAN all max-mss 1460 fragment reassemble scrub in on $LAN all max-mss 1460 fragment reassemble nat-anchor "natearly/*" nat-anchor "natrules/*" # Outbound NAT rules # Subnets to NAT tonatsubnets = "{ 192.168.0.0/24 }" nat on $WAN from $tonatsubnets port 500 to any port 500 -> 88.166.209.125/32 port 500 nat on $WAN from $tonatsubnets port 5060 to any port 5060 -> 88.166.209.125/32 port 5060 nat on $WAN from $tonatsubnets to any -> 88.166.209.125/32 port 1024:65535 # Load balancing anchor rdr-anchor "relayd/*" # TFTP proxy rdr-anchor "tftp-proxy/*" table { 88.166.209.0/24 192.168.0.0/24 } # UPnPd rdr anchor rdr-anchor "miniupnpd" anchor "relayd/*" anchor "firewallrules" #--------------------------------------------------------------------------- # default deny rules #--------------------------------------------------------------------------- block in log all label "Default deny rule" block out log all label "Default deny rule" # We use the mighty pf, we cannot be fooled. block quick proto { tcp, udp } from any port = 0 to any block quick proto { tcp, udp } from any to any port = 0 # Block all IPv6 block in quick inet6 all block out quick inet6 all # snort2c block quick from to any label "Block snort2c hosts" block quick from any to label "Block snort2c hosts" # package manager early specific hook anchor "packageearly" # carp anchor "carp" # SSH lockout block in log quick proto tcp from to any port 22 label "sshlockout" block in quick from to any label "virusprot overload table" table persist file "/etc/bogons" # block bogon networks # http://www.cymru.com/Documents/bogon-bn-nonagg.txt anchor "wanbogons" block in log quick on $WAN from to any label "block bogon networks from WAN" antispoof for vr2 # block anything from private networks on interfaces with the option set antispoof for $WAN block in log quick on $WAN from 10.0.0.0/8 to any label "block private networks from wan block 10/8" block in log quick on $WAN from 127.0.0.0/8 to any label "block private networks from wan block 127/8" block in log quick on $WAN from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12" block in log quick on $WAN from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16" # allow our DHCP client out to the WAN anchor "wandhcp" pass in on $WAN proto udp from any port = 67 to any port = 68 label "allow dhcp client out WAN" pass out on $WAN proto udp from any port = 68 to any port = 67 label "allow dhcp client out WAN" # Not installing DHCP server firewall rules for WAN which is configured for DHCP. antispoof for vr0 # allow access to DHCP server on LAN anchor "dhcpserverLAN" pass in on $LAN proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server" pass in on $LAN proto udp from any port = 68 to 192.168.0.1 port = 67 label "allow access to DHCP server" pass out on $LAN proto udp from 192.168.0.1 port = 67 to any port = 68 label "allow access to DHCP server" anchor "spoofing" # loopback anchor "loopback" pass in on $loopback all label "pass loopback" pass out on $loopback all label "pass loopback" anchor "firewallout" # let out anything from the firewall host itself and decrypted IPsec traffic pass out all keep state allow-opts label "let out anything from firewall host itself" pass out route-to ( vr2 88.166.209.254 ) from 88.166.209.125 to !88.166.209.0/24 keep state allow-opts label "let out anything from firewall host itself" # make sure the user cannot lock himself out of the webConfigurator or SSH anchor "anti-lockout" pass in quick on vr0 from any to (vr0) keep state label "anti-lockout rule" # User-defined rules follow pass in quick on $LAN from 192.168.0.0/24 to any keep state label "USER_RULE: Default allow LAN to any rule" # VPN Rules # package manager late specific hook anchor "packagelate" anchor "tftp-proxy/*" anchor "limitingesr" # uPnPd anchor "miniupnpd"