aries/firewall/pf.conf

#################################################################
# vars

# logging interfaces - for reference only
#pflog0 - block
#pflog1 - pass in
#pflog2 - pass out
#pflog3 - pass in nginx (80, 443, 8080

# interfaces
ext_if="re0"
int_if="em0"
#wifi_if="tap0" # i think tap0 is being used for hermes VM right now
vpn_if="tun0" # change to tap1 when ready to change to bridging on vpn adapter

# static internal hosts
aries       ="127.0.0.1"
aries_int   ="192.168.0.1"
aries_wg    ="192.168.1.1"
cert        ="192.168.0.9"
hermes      ="192.168.0.11"
nextcloud   ="192.168.0.24"

# queues, states and types
icmp_ping="icmp-type 8 code 0"
ssh_queue="(ssh_bulk, ssh_login)"
syn_state="flags S/UAPRSF synproxy state"
tcp_state="flags S/UAPRSF modulate state"
udp_state="keep state"

# stateful tracking options - STO
open_sto="(max 90000, source-track rule, max-src-conn 1000, max-src-nodes 256)"
smtp_sto="(max   200, source-track rule, max-src-conn   10, max-src-nodes 256, max-src-conn-rate 200/30)"
ssh_sto ="(max   100, source-track rule, max-src-conn   10, max-src-nodes 100, max-src-conn-rate 100/30,  overload <BLOCKTEMP> flush global)"
web_sto ="(max  4096, source-track rule, max-src-conn   64, max-src-nodes 512, max-src-conn-rate 500/100, overload <BLOCKTEMP> flush global)"

# tables
table <mynet> const { 192.168.0.0/24 }
#table <inttrack> { 192.168.0.240 }
table <spammers> persist file "/etc/pf_spammers.table"

table <BLOCKTEMP> counters
table <BLOCKPERM> counters file "/etc/pf_block_permanent.table"
table <non_route> file "/etc/pf_non_route.table"
table <public_dns> file "/etc/pf_public_dns.table"
table <spamd-white> persist

#################################################################
# options

# misc
set skip on lo
set debug urgent
set block-policy drop
set loginterface $ext_if
set state-policy if-bound
set fingerprints "/etc/pf.os"
set ruleset-optimization none

# timeouts
set optimization normal
set timeout { tcp.closing 60, tcp.established 7200 }

# scrub is disabled because it scrambles RFC1323 time stamps
#scrub in all no-df random-id fragment reassemble
no scrub

#################################################################
# NAT and Redirection rules are first match

# static NAT for LAN. can also add for things like XBOX or PS4
#nat on $ext_if from $xbox to any -> ($ext_if) static-port
nat on $ext_if from $int_if:network to any -> ($ext_if)

# not sure if i need to NAT the openvpn network...
#nat on $vpn_if from $int_if:network to any -> ($vpn_if)

# my servers available publically
rdr on $ext_if inet proto   tcp       from !($ext_if)      to ($ext_if) port { 80 443 8080 }      -> $aries
rdr on $ext_if inet proto   udp       from !($ext_if)      to ($ext_if) port { 51820 }            -> $aries_wg
rdr on $ext_if inet proto   tcp       from !($ext_if)      to ($ext_if) port   993                -> $hermes
rdr on $ext_if inet proto { tcp udp } from !($ext_if)      to ($ext_if) port   10011              -> $aries
#rdr on $ext_if inet proto   tcp       from !($ext_if)      to ($ext_if) port   11371              -> $cert

# specific rules for smtp mail server and spamd
rdr on $ext_if inet proto   tcp       from !<spamd-white>  to ($ext_if)    port { 25 587 }           -> $hermes #port spamd
rdr on $ext_if inet proto   tcp       from  <spamd-white>  to ($ext_if)    port { 25 587 }           -> $hermes

# redirect public DNS servers to aries
rdr on $int_if inet proto { tcp udp } from $int_if:network to <public_dns> port   53                 -> $aries_int
#rdr on { $int_if $bridge_if $wifi_if } proto { tcp udp } from .... blah blah blah

# openvpn redirect
#rdr on $vpn_if inet                   from $vpn_if:network to any

# openvpn redirect. need to look at the 'rdr in' and 'rdr out' to see if i can simplify this
#rdr out on $vpn_if from $vpn_net to any
#rdr in on $vpn_if from any to any

# redirect DNS servers to aries. retyped above. want to test
#rdr pass on { $int_if $bridge_if $wifi_if } proto { tcp udp } from $lan_net to <pubdns> -> $aries_int

# anchors
rdr-anchor "miniupnp"

# deny rouge redirect
no rdr

#################################################################
# filtering

# block abusive hosts. quick rules
block drop in quick on $ext_if           from <non_route> to any
block drop in quick on $ext_if           from <BLOCKPERM> to any
block drop in quick on $ext_if proto tcp from <BLOCKTEMP> to any # port != ssh
block drop in quick on $ext_if proto udp from <BLOCKTEMP> to any

# default blocking rule
block drop in on $ext_if

# ext_if inbound
pass in log (all, to pflog0) on $ext_if inet proto tcp from !($ext_if)      to $aries     port { 80 443 8080 } $tcp_state $web_sto
pass in on $ext_if inet proto udp from !($ext_if)      to $aries_wg  port   51820         $udp_state $open_sto
pass in on $ext_if inet proto tcp from !($ext_if)      to $hermes    port   993           $tcp_state $open_sto
pass in on $ext_if inet proto tcp from !($ext_if)      to $aries     port   10011         $tcp_state $open_sto
pass in on $ext_if inet proto udp from !($ext_if)      to $aries     port   10011         $udp_state $open_sto
#pass in on $ext_if inet proto tcp from !($ext_if)      to $cert      port   11371         $tcp_state $open_sto

# ext_if inbound - specific rules for mail server and spamd
pass in on $ext_if inet proto tcp from !<spamd-white> to $hermes    port { 25 587 }    $tcp_state $open_sto
pass in on $ext_if inet proto tcp from  <spamd-white> to $hermes    port { 25 587 }    $tcp_state $open_sto

# ext_if outbound
pass out on $ext_if inet proto tcp  from ($ext_if) to !($ext_if) $tcp_state $open_sto
pass out on $ext_if inet proto udp  from ($ext_if) to !($ext_if) $udp_state $open_sto
pass out on $ext_if inet proto icmp from ($ext_if) to !($ext_if) $udp_state $open_sto

### WARNING: enabling these between rules will restrict OUTBOUND traffic! (default deny, then allow with next block)

# int_if default block with return (TCP reset)
#block return in on $int_if inet

# int_if inbound (retrict LAN machines to external clients)
#pass in on $int_if inet proto tcp  from $int_if:network to any         port { 80 443 } $tcp_state $open_sto
pass in on $int_if inet proto tcp  from $int_if:network to $aries_int  port   22       $tcp_state $open_sto
#pass in on $int_if inet proto tcp  from $int_if:network to $aries_int  port   53       $tcp_state $open_sto
#pass in on $int_if inet proto udp  from $int_if:network to $aries_int  port   53       $udp_state $open_sto
#pass in on $int_if inet proto udp  from $int_if:network to $aries_int  port   ntp      $udp_state $open_sto
#pass in on $int_if inet proto icmp from $int_if:network to any         $icmp_ping      $udp_state $open_sto

### WARNING: end

# int_if outbound
pass out on $int_if inet proto tcp  from $int_if to $int_if:network $tcp_state
pass out on $int_if inet proto udp  from $int_if to $int_if:network $udp_state
pass out on $int_if inet proto icmp from $int_if to $int_if:network $udp_state

##################################################
# openvpn rdr
##pass out on $vpn_if from $vpn_net to any
##pass in on $vpn_if from any to any

# vpn_if inbound - openvpn network
pass in on $vpn_if inet proto tcp  from $vpn_if:network to any $tcp_state $open_sto
pass in on $vpn_if inet proto udp  from $vpn_if:network to any $udp_state $open_sto
pass in on $vpn_if inet proto icmp from $vpn_if:network to any $udp_state $open_sto

# vpn_if outbound - openvpn network
pass out on $vpn_if inet proto tcp  from $vpn_if:network to any $tcp_state $open_sto
pass out on $vpn_if inet proto udp  from $vpn_if:network to any $udp_state $open_sto
pass out on $vpn_if inet proto icmp from $vpn_if:network to any $udp_state $open_sto

# anchors
anchor "miniupnpd"
Added pf.conf 2020-03-18 15:51:04 -04:00			`#################################################################`
			`# vars`

			`# logging interfaces - for reference only`
			`#pflog0 - block`
			`#pflog1 - pass in`
			`#pflog2 - pass out`
			`#pflog3 - pass in nginx (80, 443, 8080`

			`# interfaces`
			`ext_if="re0"`
			`int_if="em0"`
			`#wifi_if="tap0" # i think tap0 is being used for hermes VM right now`
			`vpn_if="tun0" # change to tap1 when ready to change to bridging on vpn adapter`

			`# static internal hosts`
			`aries ="127.0.0.1"`
			`aries_int ="192.168.0.1"`
			`aries_wg ="192.168.1.1"`
			`cert ="192.168.0.9"`
			`hermes ="192.168.0.11"`
			`nextcloud ="192.168.0.24"`

			`# queues, states and types`
			`icmp_ping="icmp-type 8 code 0"`
			`ssh_queue="(ssh_bulk, ssh_login)"`
			`syn_state="flags S/UAPRSF synproxy state"`
			`tcp_state="flags S/UAPRSF modulate state"`
			`udp_state="keep state"`

			`# stateful tracking options - STO`
			`open_sto="(max 90000, source-track rule, max-src-conn 1000, max-src-nodes 256)"`
			`smtp_sto="(max 200, source-track rule, max-src-conn 10, max-src-nodes 256, max-src-conn-rate 200/30)"`
			`ssh_sto ="(max 100, source-track rule, max-src-conn 10, max-src-nodes 100, max-src-conn-rate 100/30, overload <BLOCKTEMP> flush global)"`
			`web_sto ="(max 4096, source-track rule, max-src-conn 64, max-src-nodes 512, max-src-conn-rate 500/100, overload <BLOCKTEMP> flush global)"`

			`# tables`
			`table <mynet> const { 192.168.0.0/24 }`
			`#table <inttrack> { 192.168.0.240 }`
			`table <spammers> persist file "/etc/pf_spammers.table"`

			`table <BLOCKTEMP> counters`
			`table <BLOCKPERM> counters file "/etc/pf_block_permanent.table"`
			`table <non_route> file "/etc/pf_non_route.table"`
			`table <public_dns> file "/etc/pf_public_dns.table"`
			`table <spamd-white> persist`

			`#################################################################`
			`# options`

			`# misc`
			`set skip on lo`
			`set debug urgent`
			`set block-policy drop`
			`set loginterface $ext_if`
			`set state-policy if-bound`
			`set fingerprints "/etc/pf.os"`
			`set ruleset-optimization none`

			`# timeouts`
			`set optimization normal`
			`set timeout { tcp.closing 60, tcp.established 7200 }`

			`# scrub is disabled because it scrambles RFC1323 time stamps`
			`#scrub in all no-df random-id fragment reassemble`
			`no scrub`

			`#################################################################`
			`# NAT and Redirection rules are first match`

			`# static NAT for LAN. can also add for things like XBOX or PS4`
			`#nat on $ext_if from $xbox to any -> ($ext_if) static-port`
			`nat on $ext_if from $int_if:network to any -> ($ext_if)`

			`# not sure if i need to NAT the openvpn network...`
			`#nat on $vpn_if from $int_if:network to any -> ($vpn_if)`

			`# my servers available publically`
			`rdr on $ext_if inet proto tcp from !($ext_if) to ($ext_if) port { 80 443 8080 } -> $aries`
			`rdr on $ext_if inet proto udp from !($ext_if) to ($ext_if) port { 51820 } -> $aries_wg`
			`rdr on $ext_if inet proto tcp from !($ext_if) to ($ext_if) port 993 -> $hermes`
			`rdr on $ext_if inet proto { tcp udp } from !($ext_if) to ($ext_if) port 10011 -> $aries`
			`#rdr on $ext_if inet proto tcp from !($ext_if) to ($ext_if) port 11371 -> $cert`

			`# specific rules for smtp mail server and spamd`
			`rdr on $ext_if inet proto tcp from !<spamd-white> to ($ext_if) port { 25 587 } -> $hermes #port spamd`
			`rdr on $ext_if inet proto tcp from <spamd-white> to ($ext_if) port { 25 587 } -> $hermes`

			`# redirect public DNS servers to aries`
			`rdr on $int_if inet proto { tcp udp } from $int_if:network to <public_dns> port 53 -> $aries_int`
			`#rdr on { $int_if $bridge_if $wifi_if } proto { tcp udp } from .... blah blah blah`

			`# openvpn redirect`
			`#rdr on $vpn_if inet from $vpn_if:network to any`

			`# openvpn redirect. need to look at the 'rdr in' and 'rdr out' to see if i can simplify this`
			`#rdr out on $vpn_if from $vpn_net to any`
			`#rdr in on $vpn_if from any to any`

			`# redirect DNS servers to aries. retyped above. want to test`
			`#rdr pass on { $int_if $bridge_if $wifi_if } proto { tcp udp } from $lan_net to <pubdns> -> $aries_int`

			`# anchors`
			`rdr-anchor "miniupnp"`

			`# deny rouge redirect`
			`no rdr`

			`#################################################################`
			`# filtering`

			`# block abusive hosts. quick rules`
			`block drop in quick on $ext_if from <non_route> to any`
			`block drop in quick on $ext_if from <BLOCKPERM> to any`
			`block drop in quick on $ext_if proto tcp from <BLOCKTEMP> to any # port != ssh`
			`block drop in quick on $ext_if proto udp from <BLOCKTEMP> to any`

			`# default blocking rule`
			`block drop in on $ext_if`

			`# ext_if inbound`
			`pass in log (all, to pflog0) on $ext_if inet proto tcp from !($ext_if) to $aries port { 80 443 8080 } $tcp_state $web_sto`
			`pass in on $ext_if inet proto udp from !($ext_if) to $aries_wg port 51820 $udp_state $open_sto`
			`pass in on $ext_if inet proto tcp from !($ext_if) to $hermes port 993 $tcp_state $open_sto`
			`pass in on $ext_if inet proto tcp from !($ext_if) to $aries port 10011 $tcp_state $open_sto`
			`pass in on $ext_if inet proto udp from !($ext_if) to $aries port 10011 $udp_state $open_sto`
			`#pass in on $ext_if inet proto tcp from !($ext_if) to $cert port 11371 $tcp_state $open_sto`

			`# ext_if inbound - specific rules for mail server and spamd`
			`pass in on $ext_if inet proto tcp from !<spamd-white> to $hermes port { 25 587 } $tcp_state $open_sto`
			`pass in on $ext_if inet proto tcp from <spamd-white> to $hermes port { 25 587 } $tcp_state $open_sto`

			`# ext_if outbound`
			`pass out on $ext_if inet proto tcp from ($ext_if) to !($ext_if) $tcp_state $open_sto`
			`pass out on $ext_if inet proto udp from ($ext_if) to !($ext_if) $udp_state $open_sto`
			`pass out on $ext_if inet proto icmp from ($ext_if) to !($ext_if) $udp_state $open_sto`

			`### WARNING: enabling these between rules will restrict OUTBOUND traffic! (default deny, then allow with next block)`

			`# int_if default block with return (TCP reset)`
			`#block return in on $int_if inet`

			`# int_if inbound (retrict LAN machines to external clients)`
			`#pass in on $int_if inet proto tcp from $int_if:network to any port { 80 443 } $tcp_state $open_sto`
			`pass in on $int_if inet proto tcp from $int_if:network to $aries_int port 22 $tcp_state $open_sto`
			`#pass in on $int_if inet proto tcp from $int_if:network to $aries_int port 53 $tcp_state $open_sto`
			`#pass in on $int_if inet proto udp from $int_if:network to $aries_int port 53 $udp_state $open_sto`
			`#pass in on $int_if inet proto udp from $int_if:network to $aries_int port ntp $udp_state $open_sto`
			`#pass in on $int_if inet proto icmp from $int_if:network to any $icmp_ping $udp_state $open_sto`

			`### WARNING: end`

			`# int_if outbound`
			`pass out on $int_if inet proto tcp from $int_if to $int_if:network $tcp_state`
			`pass out on $int_if inet proto udp from $int_if to $int_if:network $udp_state`
			`pass out on $int_if inet proto icmp from $int_if to $int_if:network $udp_state`

			`##################################################`
			`# openvpn rdr`
			`##pass out on $vpn_if from $vpn_net to any`
			`##pass in on $vpn_if from any to any`

			`# vpn_if inbound - openvpn network`
			`pass in on $vpn_if inet proto tcp from $vpn_if:network to any $tcp_state $open_sto`
			`pass in on $vpn_if inet proto udp from $vpn_if:network to any $udp_state $open_sto`
			`pass in on $vpn_if inet proto icmp from $vpn_if:network to any $udp_state $open_sto`

			`# vpn_if outbound - openvpn network`
			`pass out on $vpn_if inet proto tcp from $vpn_if:network to any $tcp_state $open_sto`
			`pass out on $vpn_if inet proto udp from $vpn_if:network to any $udp_state $open_sto`
			`pass out on $vpn_if inet proto icmp from $vpn_if:network to any $udp_state $open_sto`

			`# anchors`
			`anchor "miniupnpd"`