Added pf.conf

aries/firewall/pf.conf

@@ -0,0 +1,174 @@
+#################################################################
+# vars
+
+# logging interfaces - for reference only
+#pflog0 - block
+#pflog1 - pass in
+#pflog2 - pass out
+#pflog3 - pass in nginx (80, 443, 8080
+
+# interfaces
+ext_if="re0"
+int_if="em0"
+#wifi_if="tap0" # i think tap0 is being used for hermes VM right now
+vpn_if="tun0" # change to tap1 when ready to change to bridging on vpn adapter
+
+# static internal hosts
+aries       ="127.0.0.1"
+aries_int   ="192.168.0.1"
+aries_wg    ="192.168.1.1"
+cert        ="192.168.0.9"
+hermes      ="192.168.0.11"
+nextcloud   ="192.168.0.24"
+
+# queues, states and types
+icmp_ping="icmp-type 8 code 0"
+ssh_queue="(ssh_bulk, ssh_login)"
+syn_state="flags S/UAPRSF synproxy state"
+tcp_state="flags S/UAPRSF modulate state"
+udp_state="keep state"
+
+# stateful tracking options - STO
+open_sto="(max 90000, source-track rule, max-src-conn 1000, max-src-nodes 256)"
+smtp_sto="(max   200, source-track rule, max-src-conn   10, max-src-nodes 256, max-src-conn-rate 200/30)"
+ssh_sto ="(max   100, source-track rule, max-src-conn   10, max-src-nodes 100, max-src-conn-rate 100/30,  overload <BLOCKTEMP> flush global)"
+web_sto ="(max  4096, source-track rule, max-src-conn   64, max-src-nodes 512, max-src-conn-rate 500/100, overload <BLOCKTEMP> flush global)"
+
+# tables
+table <mynet> const { 192.168.0.0/24 }
+#table <inttrack> { 192.168.0.240 }
+table <spammers> persist file "/etc/pf_spammers.table"
+
+table <BLOCKTEMP> counters
+table <BLOCKPERM> counters file "/etc/pf_block_permanent.table"
+table <non_route> file "/etc/pf_non_route.table"
+table <public_dns> file "/etc/pf_public_dns.table"
+table <spamd-white> persist
+
+#################################################################
+# options
+
+# misc
+set skip on lo
+set debug urgent
+set block-policy drop
+set loginterface $ext_if
+set state-policy if-bound
+set fingerprints "/etc/pf.os"
+set ruleset-optimization none
+
+# timeouts
+set optimization normal
+set timeout { tcp.closing 60, tcp.established 7200 }
+
+# scrub is disabled because it scrambles RFC1323 time stamps
+#scrub in all no-df random-id fragment reassemble
+no scrub
+
+#################################################################
+# NAT and Redirection rules are first match
+
+# static NAT for LAN. can also add for things like XBOX or PS4
+#nat on $ext_if from $xbox to any -> ($ext_if) static-port
+nat on $ext_if from $int_if:network to any -> ($ext_if)
+
+# not sure if i need to NAT the openvpn network...
+#nat on $vpn_if from $int_if:network to any -> ($vpn_if)
+
+# my servers available publically
+rdr on $ext_if inet proto   tcp       from !($ext_if)      to ($ext_if) port { 80 443 8080 }      -> $aries
+rdr on $ext_if inet proto   udp       from !($ext_if)      to ($ext_if) port { 51820 }            -> $aries_wg
+rdr on $ext_if inet proto   tcp       from !($ext_if)      to ($ext_if) port   993                -> $hermes
+rdr on $ext_if inet proto { tcp udp } from !($ext_if)      to ($ext_if) port   10011              -> $aries
+#rdr on $ext_if inet proto   tcp       from !($ext_if)      to ($ext_if) port   11371              -> $cert
+
+# specific rules for smtp mail server and spamd
+rdr on $ext_if inet proto   tcp       from !<spamd-white>  to ($ext_if)    port { 25 587 }           -> $hermes #port spamd
+rdr on $ext_if inet proto   tcp       from  <spamd-white>  to ($ext_if)    port { 25 587 }           -> $hermes
+
+# redirect public DNS servers to aries
+rdr on $int_if inet proto { tcp udp } from $int_if:network to <public_dns> port   53                 -> $aries_int
+#rdr on { $int_if $bridge_if $wifi_if } proto { tcp udp } from .... blah blah blah
+
+# openvpn redirect
+#rdr on $vpn_if inet                   from $vpn_if:network to any
+
+# openvpn redirect. need to look at the 'rdr in' and 'rdr out' to see if i can simplify this
+#rdr out on $vpn_if from $vpn_net to any
+#rdr in on $vpn_if from any to any
+
+# redirect DNS servers to aries. retyped above. want to test
+#rdr pass on { $int_if $bridge_if $wifi_if } proto { tcp udp } from $lan_net to <pubdns> -> $aries_int
+
+# anchors
+rdr-anchor "miniupnp"
+
+# deny rouge redirect
+no rdr
+
+#################################################################
+# filtering
+
+# block abusive hosts. quick rules
+block drop in quick on $ext_if           from <non_route> to any
+block drop in quick on $ext_if           from <BLOCKPERM> to any
+block drop in quick on $ext_if proto tcp from <BLOCKTEMP> to any # port != ssh
+block drop in quick on $ext_if proto udp from <BLOCKTEMP> to any
+
+# default blocking rule
+block drop in on $ext_if
+
+# ext_if inbound
+pass in log (all, to pflog0) on $ext_if inet proto tcp from !($ext_if)      to $aries     port { 80 443 8080 } $tcp_state $web_sto
+pass in on $ext_if inet proto udp from !($ext_if)      to $aries_wg  port   51820         $udp_state $open_sto
+pass in on $ext_if inet proto tcp from !($ext_if)      to $hermes    port   993           $tcp_state $open_sto
+pass in on $ext_if inet proto tcp from !($ext_if)      to $aries     port   10011         $tcp_state $open_sto
+pass in on $ext_if inet proto udp from !($ext_if)      to $aries     port   10011         $udp_state $open_sto
+#pass in on $ext_if inet proto tcp from !($ext_if)      to $cert      port   11371         $tcp_state $open_sto
+
+# ext_if inbound - specific rules for mail server and spamd
+pass in on $ext_if inet proto tcp from !<spamd-white> to $hermes    port { 25 587 }    $tcp_state $open_sto
+pass in on $ext_if inet proto tcp from  <spamd-white> to $hermes    port { 25 587 }    $tcp_state $open_sto
+
+# ext_if outbound
+pass out on $ext_if inet proto tcp  from ($ext_if) to !($ext_if) $tcp_state $open_sto
+pass out on $ext_if inet proto udp  from ($ext_if) to !($ext_if) $udp_state $open_sto
+pass out on $ext_if inet proto icmp from ($ext_if) to !($ext_if) $udp_state $open_sto
+
+### WARNING: enabling these between rules will restrict OUTBOUND traffic! (default deny, then allow with next block)
+
+# int_if default block with return (TCP reset)
+#block return in on $int_if inet
+
+# int_if inbound (retrict LAN machines to external clients)
+#pass in on $int_if inet proto tcp  from $int_if:network to any         port { 80 443 } $tcp_state $open_sto
+pass in on $int_if inet proto tcp  from $int_if:network to $aries_int  port   22       $tcp_state $open_sto
+#pass in on $int_if inet proto tcp  from $int_if:network to $aries_int  port   53       $tcp_state $open_sto
+#pass in on $int_if inet proto udp  from $int_if:network to $aries_int  port   53       $udp_state $open_sto
+#pass in on $int_if inet proto udp  from $int_if:network to $aries_int  port   ntp      $udp_state $open_sto
+#pass in on $int_if inet proto icmp from $int_if:network to any         $icmp_ping      $udp_state $open_sto
+
+### WARNING: end
+
+# int_if outbound
+pass out on $int_if inet proto tcp  from $int_if to $int_if:network $tcp_state
+pass out on $int_if inet proto udp  from $int_if to $int_if:network $udp_state
+pass out on $int_if inet proto icmp from $int_if to $int_if:network $udp_state
+
+##################################################
+# openvpn rdr
+##pass out on $vpn_if from $vpn_net to any
+##pass in on $vpn_if from any to any
+
+# vpn_if inbound - openvpn network
+pass in on $vpn_if inet proto tcp  from $vpn_if:network to any $tcp_state $open_sto
+pass in on $vpn_if inet proto udp  from $vpn_if:network to any $udp_state $open_sto
+pass in on $vpn_if inet proto icmp from $vpn_if:network to any $udp_state $open_sto
+
+# vpn_if outbound - openvpn network
+pass out on $vpn_if inet proto tcp  from $vpn_if:network to any $tcp_state $open_sto
+pass out on $vpn_if inet proto udp  from $vpn_if:network to any $udp_state $open_sto
+pass out on $vpn_if inet proto icmp from $vpn_if:network to any $udp_state $open_sto
+
+# anchors
+anchor "miniupnpd"