Since I want this server to be as close a router replacement as possible, I wanted to make adding hosts to a port forward list simple. Since the firewall is NATing from public to private, rdr rules are included before the pass rules.

DNS Redirect

I also wanted to ensure that this machine will be the only place that any device on my local network goes to for DNS lookup. To do this, I created a /etc/pf_public_dns.table IP table containing the most popular public DNS servers. Any device that tries to connect to one of these servers will get routed to my DNS server (located on the aries as well).

VPN

Currently pf manages connecting the routes to and from the OpenVPN network (10.8.0.0/16), however this will be changed in the future as I am currently migrating from OpenVPN to Wireguard.

Spam IP Blocklist

There are plans in the future to incorporate IP blocking of spammers in pf. This should be moved to the firewall of hermes so that aries does not lose the definition of router replacement.

Abusive IP Blocklist

You may notice BLOCKTEMP and BLOCKPERM tables. These tables are used to block abusive hosts. The abusive hosts are determined from the number of bad requests to my web server. If an IP has > 10 4xx/5xx responses with a 24 hour period it gets added to the BLOCKTEMP table.

You can see the code in the webabuse.pl file. I've added the system("/bin/sh", "/usr/local/etc/email_abusive_ip_logs.sh", "$ip_ext"); line so that I can get an emailed report whenever an IP is added to the blocklist.

Note that the blocklist is cleared when the firewall or server is restarted.