### icmp permitted types { 0, 3, 4, 8, 11, 12 }
#icmp_types = "{ echorep, unreach, squench, echoreq, timex, paramprob }"
icmp_types = "{ echoreq }"
### Define states - keep state is the default
TcpState ="modulate state"
UdpState ="keep state"
### Define stateful tracking options (STO)
OpenSTO ="(max 90000, source-track rule, max-src-conn 1000, max-src-nodes 256)"
SmtpSTO ="(max 200, source-track rule, max-src-conn 10, max-src-nodes 256, max-src-conn-rate 200/30)"
SshSTO ="(max 5, source-track rule, max-src-conn 5, max-src-nodes 5, max-src-conn-rate 5/30, overload <BLOCKTEMP> flush global)"
WebSTO ="(max 4096, source-track rule, max-src-conn 64, max-src-nodes 512, max-src-conn-rate 500/100, overload <BLOCKTEMP> flush global)"
### Tables
### set persistent table for permanaent banned accessing IPs
table <BLOCKPERM> counters persist file "/var/db/pf/pf_block_perm"
### set persistent table for suspect brute force attampts
table <BLOCKTEMP> counters
#
#
### Options
### by default drop blocked packets and do not return a return packet
set block-policy drop
### Set none for no debug messages. Alternatively set to urgent.
set debug urgent
### reorder and combine rules as logic permits (none - basic - profile)
set ruleset-optimization none
### do not filter on the loopback interface(s)
set skip on lo0
### do not filter on internal interface - duplicates iptables behaviour
set skip on em0
### bind state matching to i/f (if-bound) or any (floating [default])
#set state-policy if-bound
### Normalisation
## clean up incoming packets and reassemble fragments
#scrub in all fragment reassemble no-df max-mss 1440
scrub in all fragment reassemble
### Or not if rfc1323 timestamp integrity is required
### Queueing
# none - Not available without a custom kernel built with ALTQ
### Network Address Translation
nat log on $ext_if \
from 192.168.8.0/24 \
to any -> ($ext_if:0)
### Filtering
### set anti-lockout rule
pass log quick inet proto tcp \
from { 216.185.71.0/26 192.168.216.0/26 } \
to (self) port { 22 10000 } \
keep state
### allow LAN ssh to ssh
pass log quick on $int_if proto { tcp } \
from { $int_if:network } \
to { $int_if:network } port $port_ssh \
keep state
### set default action to block everything ELSE
block return out log all
block drop in log all
### Allow LAN traffic
pass quick on $int_if \
from $int_if:network \
to $int_if:network
pass quick on $int_if \
from { self 192.168.0.0/16 216.185.71.0/25 } \
to { 192.168.0.0/16 216.185.71.0/25 }
### Allow DNS to and from authorised hosts
pass log quick proto { tcp udp } \
from any \
to $host_dns port domain keep state
pass log quick proto { tcp udp } \
from $host_dns \
to any keep state
### Allow HTTP from authorised hosts
pass quick proto { tcp } \
from { self 192.168.0.0/16 216.185.71.0/25 } \
to any port $port_http
pass quick proto { tcp } \
from any \
to $host_http port $port_http
### Allow NTP from authorised hosts
pass quick proto { udp }\
from { 192.168.8.0/24 216.185.71.0/25 } \
to $host_ntp port ntp keep state
pass quick proto { udp } \
from $host_ntp \
to any
### Allow SMTP from authorised hosts
pass log quick proto { tcp } \
from any \
to $host_smtp port $port_smtp \
$TcpState $SmtpSTO
pass log quick proto { tcp } \
from $host_smtp \
to any port $port_smtp \
$TcpState $SmtpSTO
### Allow SSH from authorised hosts
pass log quick proto { tcp } \
from { $int_if:network } \
to { $int_if:network } port $port_ssh \
$TcpState $SshSTO
pass log quick proto { tcp } \
from { self $host_trust } \
to any port $port_ssh \
$TcpState $SshSTO
pass log quick proto { tcp } \
from any \
to $host_ssh port $port_ssh \
$TcpState $SshSTO
### Allow icmp ping and traceroute
# Allow select ICMP types in and PING to leave the server
pass inet proto icmp all icmp-type $icmp_types keep state
# Traceroute
pass out quick on $ext_if inet proto udp \
from any \
to any port 33433 >< 33626 keep state