#System aliases loopback = "{ lo0 }" WAN = "{ em1_vlan300 }" LAN = "{ em0 }" WAN_PROMETEY = "{ em1_vlan302 }" ALLWAN = "{ ALLWAN }" #SSH Lockout Table table persist #Snort2C table table table # User Aliases table { 255.255.255.255 10.255.255.255 10.10.32.255 10.10.33.255 } Broadcasts = "" table { 89.163.93.159 195.131.192.147 } Homes_NOC = "" table { 10.10.32.201 } Host_1C = "" table { 10.10.32.204 } Host_kassa = "" table { 10.10.33.138 } Host_KVM = "" table { 10.10.32.4 } Host_mike = "" table { 91.202.96.34 } Host_msk_office = "" table { 10.10.32.203 } Host_mysql = "" table { 10.10.32.16 } Host_shinkei = "" table { 10.10.32.193 } Host_TFTP = "" table { 10.10.32.3 } Host_ubique = "" table { 80.93.48.96 80.93.56.90 77.222.32.6 } Hosts_INSIDE = "" table { 80.93.57.228 80.93.48.96 77.222.32.6 80.93.56.90 80.93.59.60 80.93.49.97 } Hosts_panel = "" table { 82.140.91.41 82.140.91.42 } Hosts_Pstar_panel = "" table { 10.10.32.18 10.10.32.19 } Hosts_Seo = "" table { 10.10.32.195 } Hosts_Support = "" table { 212.116.101.88 } Hosts_Sweb = "" table { 69.90.250.0/23 208.74.120.0/21 } NET_CPANEL = "" table { 77.222.44.0/27 212.116.101.64/27 91.202.96.32/28 89.163.93.159/32 80.93.48.96/32 77.222.32.6/32 80.93.56.90/32 } NET_File = "" table { 10.0.0.0/8 } NET_HC = "" table { 10.10.32.0/24 10.10.33.0/24 } NET_LAN = "" table { 192.168.1.0/24 } NET_SWEB = "" table { 87.240.128.0/18 93.186.232.0/21 95.142.192.0/20 93.186.224.0/21 } NET_vkontakte = "" table { 77.222.44.0/28 77.222.44.16/28 212.116.101.64/27 212.119.27.192/28 } NET_WAN = "" table { 87.250.250.117 213.180.204.117 } NET_YANDEX = "" Ports_Applications = "{ 63333 9000 }" Ports_Bittorrent = "{ 6881:6889 }" Ports_DB = "{ 3306 5432 1433 1521 }" Ports_DNS = "{ 53 43 }" Ports_FTP = "{ 21 22 989 990 }" Ports_HTTP = "{ 80 443 82 }" Ports_LDAP = "{ 389 636 1812 1813 2083 3799 }" Ports_MAIL = "{ 25 587 465 110 995 143 993 585 }" Ports_Messaging = "{ 5190 5222 5223 }" Ports_Phone = "{ 5060 4569 }" Ports_Samba = "{ 137:139 445 }" Ports_Shell = "{ 22 2222 20222 22222 23 10000 1022 2223 }" Ports_Traceroute = "{ 33434:33625 33000:49151 }" Ports_VNC = "{ 3389 5900:5903 }" # Gateways GWGW_PETERSTAR = " route-to ( em1_vlan300 77.222.44.1 ) " GWGW_PROMETEY = " route-to ( em1_vlan302 212.116.101.65 ) " GWLoadBalance = " route-to { ( em1_vlan300 77.222.44.1 ) ( em1_vlan302 212.116.101.65 ) } round-robin " GWPeterstar = " route-to { ( em1_vlan300 77.222.44.1 ) } " GWPrometey = " route-to { ( em1_vlan302 212.116.101.65 ) } " set loginterface em1_vlan300 set loginterface em0 set loginterface em1_vlan302 set optimization normal set limit states 299000 set limit src-nodes 299000 set skip on pfsync0 scrub in on $WAN all random-id fragment reassemble scrub in on $LAN all random-id fragment reassemble scrub in on $WAN_PROMETEY all random-id fragment reassemble nat-anchor "natearly/*" nat-anchor "natrules/*" # Outbound NAT rules nat on $WAN_PROMETEY proto udp from 10.10.33.64/26 to any -> 212.116.101.86/32 static-port nat on $WAN from 10.10.32.0/23 to any port 5060 -> 77.222.44.10/32 static-port nat on $WAN_PROMETEY from 10.10.32.0/23 to any port 5060 -> 212.116.101.94/32 static-port nat on $WAN proto tcp from 10.10.32.195/32 to any -> 77.222.44.6/32 port 1024:65535 nat on $WAN_PROMETEY proto tcp from 10.10.32.195/32 to any -> 212.116.101.70/32 port 1024:65535 nat on $WAN proto tcp from 10.10.32.18/32 to any -> 77.222.44.8/32 port 1024:65535 nat on $WAN proto tcp from 10.10.32.19/32 to any -> 77.222.44.9/32 port 1024:65535 nat on $WAN proto udp from 10.10.32.193/32 to any -> 77.222.44.12/32 port 1024:65535 nat on $WAN_PROMETEY proto udp from 10.10.32.193/32 to any -> 212.116.101.72/32 port 1024:65535 nat on $WAN from 10.10.32.0/23 to any -> 77.222.44.10/32 port 1024:65535 nat on $WAN_PROMETEY from 10.10.32.0/23 to any -> 212.116.101.94/32 port 1024:65535 # Load balancing anchor rdr-anchor "relayd/*" # TFTP proxy rdr-anchor "tftp-proxy/*" table { 77.222.44.0/28 10.10.32.0/24 212.116.101.64/27 } # NAT Inbound Redirects rdr on em1_vlan302 proto tcp from $Hosts_Sweb to 212.116.101.71 port 3389 -> $Host_1C rdr on em0 proto tcp from 10.10.32.0/24 to 212.116.101.71 port 3389 -> $Host_1C rdr on em0 proto tcp from 10.10.32.0/24 to 77.222.44.5 port 443 -> $Host_KVM rdr on em1_vlan300 proto tcp from any to 77.222.44.12 port 3333 -> $Host_mike port 22 rdr on em1_vlan302 proto tcp from any to 212.116.101.72 port 3333 -> $Host_mike port 22 rdr on em1_vlan300 proto tcp from any to 77.222.44.12 port 6666 -> $Host_shinkei port 22 rdr on em1_vlan302 proto tcp from any to 212.116.101.72 port 6666 -> $Host_shinkei port 22 rdr on em1_vlan300 proto tcp from any to 77.222.44.12 port 6667 -> $Host_ubique port 22 rdr on em1_vlan302 proto tcp from any to 212.116.101.72 port 6667 -> $Host_ubique port 22 rdr on em1_vlan300 proto udp from $NET_File to 77.222.44.12 port 69 -> $Host_TFTP rdr on em1_vlan302 proto udp from $NET_File to 212.116.101.72 port 69 -> $Host_TFTP rdr on em1_vlan300 proto { tcp udp } from $Host_msk_office to 77.222.44.12 port $Ports_Samba -> 10.10.32.196 rdr on em1_vlan302 proto { tcp udp } from $Host_msk_office to 212.116.101.72 port $Ports_Samba -> 10.10.32.196 rdr on em1_vlan300 proto tcp from any to 77.222.44.12 port 443 -> $Host_KVM rdr on em1_vlan302 proto tcp from any to 212.116.101.72 port 443 -> $Host_KVM rdr on em1_vlan300 proto tcp from any to 77.222.44.5 port 443 -> $Host_KVM rdr on em1_vlan300 proto tcp from $Hosts_panel to 77.222.44.12 port 2223 -> $Host_mysql rdr on em1_vlan302 proto tcp from $Hosts_panel to 212.116.101.72 port 2223 -> $Host_mysql rdr on em1_vlan300 proto tcp from $Hosts_panel to 77.222.44.12 port 5242 -> $Host_kassa port 4242 rdr on em1_vlan302 proto tcp from $Hosts_panel to 212.116.101.72 port 5242 -> $Host_kassa port 4242 rdr on em1_vlan300 proto tcp from $Hosts_panel to 77.222.44.12 port 5243 -> $Host_kassa port 4243 rdr on em1_vlan302 proto tcp from $Hosts_panel to 212.116.101.72 port 5243 -> $Host_kassa port 4243 rdr on em1_vlan302 proto tcp from $Homes_NOC to 212.116.101.72 port 21 -> $Host_TFTP rdr on em1_vlan300 proto tcp from $Homes_NOC to 77.222.44.12 port 21 -> $Host_TFTP # UPnPd rdr anchor rdr-anchor "miniupnpd" anchor "relayd/*" anchor "firewallrules" #--------------------------------------------------------------------------- # default deny rules #--------------------------------------------------------------------------- block in log all label "Default deny rule" block out log all label "Default deny rule" # We use the mighty pf, we cannot be fooled. block quick proto { tcp, udp } from any port = 0 to any block quick proto { tcp, udp } from any to any port = 0 # snort2c block quick from to any label "Block snort2c hosts" block quick from any to label "Block snort2c hosts" # package manager early specific hook anchor "packageearly" # carp anchor "carp" block in log quick proto carp from (self) to any pass quick proto carp pass quick proto pfsync # SSH lockout block in log quick proto tcp from to any port 20222 label "sshlockout" block in quick from to any label "virusprot overload table" table persist file "/etc/bogons" # block bogon networks # http://www.cymru.com/Documents/bogon-bn-nonagg.txt anchor "wanbogons" block in log quick on $WAN from to any label "block bogon networks from WAN" antispoof for em1_vlan300 # block anything from private networks on interfaces with the option set antispoof for $WAN block in log quick on $WAN from 10.0.0.0/8 to any label "block private networks from wan block 10/8" block in log quick on $WAN from 127.0.0.0/8 to any label "block private networks from wan block 127/8" block in log quick on $WAN from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12" block in log quick on $WAN from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16" antispoof for em0 # block bogon networks # http://www.cymru.com/Documents/bogon-bn-nonagg.txt anchor "opt2bogons" block in log quick on $WAN_PROMETEY from to any label "block bogon networks from WAN_PROMETEY" antispoof for em1_vlan302 # block anything from private networks on interfaces with the option set antispoof for $WAN_PROMETEY block in log quick on $WAN_PROMETEY from 10.0.0.0/8 to any label "block private networks from wan block 10/8" block in log quick on $WAN_PROMETEY from 127.0.0.0/8 to any label "block private networks from wan block 127/8" block in log quick on $WAN_PROMETEY from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12" block in log quick on $WAN_PROMETEY from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16" anchor "spoofing" # loopback anchor "loopback" pass in on $loopback all label "pass loopback" pass out on $loopback all label "pass loopback" anchor "firewallout" # let out anything from the firewall host itself and decrypted IPsec traffic pass out all keep state allow-opts label "let out anything from firewall host itself" pass out route-to ( em1_vlan300 77.222.44.1 ) from 77.222.44.10 to !77.222.44.0/28 keep state allow-opts label "let out anything from firewall host itself" pass out route-to ( em1_vlan302 212.116.101.65 ) from 212.116.101.94 to !212.116.101.64/27 keep state allow-opts label "let out anything from firewall host itself" # make sure the user cannot lock himself out of the webConfigurator or SSH anchor "anti-lockout" pass in quick on em0 from any to (em0) keep state label "anti-lockout rule" # User-defined rules follow pass in quick on $WAN reply-to ( em1_vlan300 77.222.44.1 ) proto tcp from any to $Host_shinkei port 22 label "USER_RULE: NAT NAT to SSH shinkei" pass in quick on $WAN reply-to ( em1_vlan300 77.222.44.1 ) proto udp from any to $Host_TFTP port 69 label "USER_RULE: NAT Redirect to TFTP" pass in quick on $WAN reply-to ( em1_vlan300 77.222.44.1 ) proto tcp from any to $Host_KVM port 443 label "USER_RULE: NAT Redirect to IP-KVM" pass in quick on $WAN reply-to ( em1_vlan300 77.222.44.1 ) proto tcp from any to $Host_mike port 22 label "USER_RULE: NAT Redirect to mike ssh" pass in quick on $WAN reply-to ( em1_vlan300 77.222.44.1 ) proto tcp from $Hosts_panel to $Host_mysql port 2223 label "USER_RULE: NAT SSH tunnel to mysql" pass in quick on $WAN reply-to ( em1_vlan300 77.222.44.1 ) proto tcp from $Hosts_panel to $Host_kassa port 4242 label "USER_RULE: NAT Tunnel to kassa 1" pass in quick on $WAN reply-to ( em1_vlan300 77.222.44.1 ) proto tcp from $Hosts_panel to $Host_kassa port 4243 label "USER_RULE: NAT Tunnel to kassa 11" pass in quick on $WAN reply-to ( em1_vlan300 77.222.44.1 ) proto { tcp udp } from $Host_msk_office to 10.10.32.196 port $Ports_Samba label "USER_RULE: NAT Redirect to Avalon" pass in quick on $WAN reply-to ( em1_vlan300 77.222.44.1 ) proto tcp from any to $Host_KVM port 443 label "USER_RULE: NAT Redirect to IP-KVM" pass in quick on $WAN reply-to ( em1_vlan300 77.222.44.1 ) proto tcp from any to $Host_ubique port 22 label "USER_RULE: NAT NAT to SSH ubique" pass in quick on $WAN reply-to ( em1_vlan300 77.222.44.1 ) proto tcp from $Homes_NOC to $Host_TFTP port 21 label "USER_RULE: NAT Redirect to FTP" # WANLANWAN_PROMETEYALLWAN pptp array key does not exist for Default allow PPTP to any rule label "USER_RULE: Default allow PPTP to any rule" # WANLANWAN_PROMETEYALLWAN pptp array key does not exist for Default allow PPTP to any rule label "USER_RULE: Default allow PPTP to any rule" pass in quick on $WAN_PROMETEY reply-to ( em1_vlan302 212.116.101.65 ) proto tcp from $Hosts_Sweb to $Host_1C port 3389 label "USER_RULE: NAT Access to 1C by RDP" pass in quick on $WAN_PROMETEY reply-to ( em1_vlan302 212.116.101.65 ) proto tcp from any to $Host_shinkei port 22 label "USER_RULE: NAT NAT to SSH shinkei" pass in quick on $WAN_PROMETEY reply-to ( em1_vlan302 212.116.101.65 ) proto udp from any to $Host_TFTP port 69 label "USER_RULE: NAT Redirect to TFTP" pass in quick on $WAN_PROMETEY reply-to ( em1_vlan302 212.116.101.65 ) proto tcp from any to $Host_KVM port 443 label "USER_RULE: NAT Redirect to IP-KVM" pass in quick on $WAN_PROMETEY reply-to ( em1_vlan302 212.116.101.65 ) proto tcp from any to $Host_mike port 22 label "USER_RULE: NAT Redirect to mike ssh" pass in quick on $WAN_PROMETEY reply-to ( em1_vlan302 212.116.101.65 ) proto tcp from $Hosts_panel to $Host_mysql port 2223 label "USER_RULE: NAT SSH tunnel to mysql" pass in quick on $WAN_PROMETEY reply-to ( em1_vlan302 212.116.101.65 ) proto tcp from $Hosts_panel to $Host_kassa port 4242 label "USER_RULE: NAT Tunnel to kassa 2" pass in quick on $WAN_PROMETEY reply-to ( em1_vlan302 212.116.101.65 ) proto tcp from $Hosts_panel to $Host_kassa port 4243 label "USER_RULE: NAT Tunnel to kassa 22" pass in quick on $WAN_PROMETEY reply-to ( em1_vlan302 212.116.101.65 ) proto { tcp udp } from $Host_msk_office to 10.10.32.196 port $Ports_Samba label "USER_RULE: NAT Redirect to Avalon" pass in quick on $WAN_PROMETEY reply-to ( em1_vlan302 212.116.101.65 ) proto tcp from any to $Host_ubique port 22 label "USER_RULE: NAT NAT to SSH ubique" pass in quick on $WAN_PROMETEY reply-to ( em1_vlan302 212.116.101.65 ) proto tcp from $Homes_NOC to $Host_TFTP port 21 label "USER_RULE: NAT Redirect to FTP" # WANLANWAN_PROMETEYALLWAN openvpn array key does not exist for OpenVPN wizard rules. label "USER_RULE: OpenVPN wizard rules." block in quick on $LAN proto { tcp udp } from any to $Broadcasts label "USER_RULE: Block Broadcasts" pass in quick on $LAN from $NET_LAN to $NET_LAN keep state label "USER_RULE: Allow any in LAN to LAN" pass in log quick on $LAN $GWLoadBalance inet proto icmp from any to ! $NET_LAN keep state label "USER_RULE: Any ICMP " pass in quick on $LAN $GWPeterstar proto { tcp udp } from $NET_LAN to $Hosts_INSIDE port $Ports_DNS keep state label "USER_RULE: NS with failover" pass in quick on $LAN from $Host_mike to keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)" pass in quick on $LAN $GWPrometey from $Host_mike to any keep state label "USER_RULE: Any for Mike :)" pass in quick on $LAN proto { tcp udp } from $NET_LAN to keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)" pass in quick on $LAN $GWPrometey proto { tcp udp } from $NET_LAN to any port $Ports_DNS keep state label "USER_RULE: Allow DNS" pass in quick on $LAN proto tcp from $Hosts_Support to flags S/SA keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)" pass in quick on $LAN $GWPeterstar proto tcp from $Hosts_Support to any flags S/SA keep state label "USER_RULE: support (peterstar)" pass in log quick on $LAN proto { tcp udp } from $NET_LAN to keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)" pass in log quick on $LAN $GWPrometey proto { tcp udp } from $NET_LAN to any port $Ports_Phone keep state label "USER_RULE: Allow IP Telephony" pass in quick on $LAN proto { tcp udp } from $NET_LAN to keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)" pass in quick on $LAN $GWPeterstar proto { tcp udp } from $NET_LAN to any port 514 keep state label "USER_RULE: Allow Remote Log" pass in quick on $LAN proto { tcp udp } from $NET_LAN to keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)" pass in quick on $LAN $GWPrometey proto { tcp udp } from $NET_LAN to any port 873 keep state label "USER_RULE: Allow Rsync" pass in quick on $LAN proto tcp from $NET_LAN to flags S/SA keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)" pass in quick on $LAN $GWPeterstar proto tcp from $NET_LAN to any port $Ports_Shell flags S/SA keep state label "USER_RULE: Allow shell access" pass in log quick on $LAN proto tcp from $NET_LAN to flags S/SA keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)" pass in log quick on $LAN $GWPrometey proto tcp from $NET_LAN to any port $Ports_FTP flags S/SA keep state label "USER_RULE: Allow FTP" pass in quick on $LAN proto tcp from $NET_LAN to flags S/SA keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)" pass in quick on $LAN $GWPrometey proto tcp from $NET_LAN to any port $Ports_LDAP flags S/SA keep state label "USER_RULE: Allow LDAP and RADIUS" pass in quick on $LAN proto tcp from $NET_LAN to flags S/SA keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)" pass in quick on $LAN $GWPrometey proto tcp from $NET_LAN to any port $Ports_DB flags S/SA keep state label "USER_RULE: Allow DB access" pass in log quick on $LAN $GWPrometey proto tcp from $NET_LAN to $NET_vkontakte port $Ports_HTTP flags S/SA keep state dnpipe ( 1, 2) label "USER_RULE: vkontakte to Low priority!" pass in quick on $LAN proto tcp from $Hosts_Seo to flags S/SA keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)" pass in quick on $LAN $GWPeterstar proto tcp from $Hosts_Seo to any port $Ports_HTTP flags S/SA keep state label "USER_RULE: Allow HTTP (Seo)" pass in quick on $LAN proto tcp from $NET_LAN to flags S/SA keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)" pass in quick on $LAN $GWPrometey proto tcp from $NET_LAN to any port $Ports_HTTP flags S/SA keep state label "USER_RULE: Allow HTTP" pass in log quick on $LAN proto tcp from $NET_LAN to flags S/SA keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)" pass in log quick on $LAN $GWPrometey proto tcp from $NET_LAN to any port $Ports_MAIL flags S/SA keep state label "USER_RULE: Allow Mail" pass in quick on $LAN proto tcp from $NET_LAN to flags S/SA keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)" pass in quick on $LAN $GWPrometey proto tcp from $NET_LAN to any port $Ports_Messaging flags S/SA keep state label "USER_RULE: Allow Messaging" pass in quick on $LAN proto tcp from $NET_LAN to flags S/SA keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)" pass in quick on $LAN $GWPrometey proto tcp from $NET_LAN to any port $Ports_VNC flags S/SA keep state label "USER_RULE: Allow VNC and RDP" pass in log quick on $LAN proto tcp from $NET_LAN to flags S/SA keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)" pass in log quick on $LAN $GWPrometey proto tcp from $NET_LAN to any port $Ports_Applications flags S/SA keep state label "USER_RULE: Allow some Applications" pass in quick on $LAN proto udp from $NET_LAN to keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)" pass in quick on $LAN $GWPrometey proto udp from $NET_LAN to any port 123 keep state label "USER_RULE: Allow NTP" pass in log quick on $LAN proto tcp from $NET_LAN to flags S/SA keep state dnpipe ( 3, 4) label "NEGATE_ROUTE: Negate policy route for vpn(s)" pass in log quick on $LAN $GWPrometey proto tcp from $NET_LAN to any port 1023 >< 49152 flags S/SA keep state dnpipe ( 3, 4) label "USER_RULE: Allow High TCP ports" pass in log quick on $LAN proto udp from $NET_LAN to keep state dnpipe ( 3, 4) label "NEGATE_ROUTE: Negate policy route for vpn(s)" pass in log quick on $LAN $GWPrometey proto udp from $NET_LAN to any port $Ports_Traceroute keep state dnpipe ( 3, 4) label "USER_RULE: Allow High UDP ports (Traceroute and MTR)" pass in log quick on $LAN $GWPrometey proto udp from $Host_TFTP to $NET_File keep state label "USER_RULE: Allow TFTP" # WANLANWAN_PROMETEYALLWAN l2tp array key does not exist for label "USER_RULE" pass in quick on $ALLWAN inet proto icmp from any to any keep state ( max-src-conn-rate 1 /1, overload flush global ) label "USER_RULE: Allow any ICMP" pass in quick on $ALLWAN from $Homes_NOC to any keep state label "USER_RULE: Allow any for NOC" pass in log quick on $ALLWAN proto tcp from any to any port 20222 flags S/SA keep state label "USER_RULE: Remote access to Gate" # VPN Rules # package manager late specific hook anchor "packagelate" anchor "tftp-proxy/*" anchor "limitingesr" # uPnPd anchor "miniupnpd"