# #############################
# ##### Section 1: MACROS #####
# #############################
#
wan_if = "vlan420 vlan421 vlan901 vlan902 vlan903 vlan904"
skip_if = "lo tap tun vlan210"
TCP_DROP = "0, 7, 9, 13, 17, 19, 69, 111, 135:139, 389, 445, 547, 1433, 1444, 1900"
UDP_DROP = "0:52, 38:52, 54:67, 69:112, 114:122, 124:160, 162:442, 389, 444:449, 501:1024"
WIN_DROP = "135, 137, 138, 139, 411, 445, 552, 800, 1080, 1214, 1433, 2283, 2535, 2745, 3127, 3128, 3410, 4662, 4672, 5554, 6158, 6881:6889, 8787, 9898, 10080, 12345, 12346, 15118, 17300, 20034, 31337, 31338, 54320, 53321"
# #############################
# ##### Section 2: TABLES #####
# #############################
table <ext_block> persist
table <RFC6890> persist file "/etc/pf/rfc6890.txt"
table <attacks> persist file "/etc/pf/attacks.netset"
table <malware> persist file "/etc/pf/malware.netset"
table <ext_blacklist> persist file "/etc/pf/ext_blacklist.txt"
table <ext_whitelist> persist file "/etc/pf/ext_whitelist.txt"
table <sshguard> persist
table <idps_in> persist
table <idps_out> persist
table <ext_lan> persist file "/etc/pf/ext_lan.txt"
table <ext_bgp> const { 111.111.111.111, 2001:2001:2001::1 }
# #####################################
# ##### Section 3: GLOBAL OPTIONS #####
# #####################################
#
set block-policy drop
set fingerprints "/etc/pf.os"
set limit { frags 10000, src-nodes 100000, states 1250000, table-entries 500000 }
set loginterface vlan
set optimization aggressive
set ruleset-optimization basic
set skip on { $skip_if }
set state-policy floating
set timeout { interval 10, frag 10 }
set timeout { tcp.first 15, tcp.opening 10, tcp.established 3600, tcp.closing 10, tcp.finwait 15, tcp.closed 15 }
set timeout { udp.first 60, udp.single 15, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
# ############################################
# ##### Section 4: TRAFFIC NORMALIZATION #####
# ############################################
#
scrub all fragment reassemble random-id no-df
# #####################################
# ##### Section 5: QUEUEING RULES #####
# #####################################
# ##############################################
# ##### Section 6: TRANSLATION RULES (NAT) #####
# ##############################################
# ###################################
# ##### Section 7: FILTER RULES #####
# ###################################
#
antispoof log quick for { $wan_if }
block in log quick from { urpf-failed no-route } to any
pass in log quick inet6 proto ipv6-icmp from {any} to {any} icmp6-type {1,2,135,136} keep state label "IPv6 requirements (ICMP)"
pass out log quick inet6 proto ipv6-icmp from {fe80::/10} to {fe80::/10,ff02::/16} icmp6-type {129,133,134,135,136} keep state label "IPv6 requirements (ICMP)"
pass in log quick inet6 proto ipv6-icmp from {fe80::/10} to {fe80::/10,ff02::/16} icmp6-type {128,133,134,135,136} keep state label "IPv6 requirements (ICMP)"
pass in log quick inet6 proto ipv6-icmp from {ff02::/16} to {fe80::/10} icmp6-type {128,133,134,135,136} keep state label "IPv6 requirements (ICMP)"
block in log quick on { $wan_if } from { <ext_block> } to { any } label "Temporary external blacklist"
block out log quick on { $wan_if } from { any } to { <ext_block> } label "Temporary external blacklist"
pass in log quick on { $wan_if } from { <ext_lan> } to { any } keep state label "Trusted network"
pass out log quick on { $wan_if } from { any } to { <ext_lan> } keep state label "Trusted network"
block in log quick on { $wan_if } from { <RFC6890> } to { any } label "DROP: RFC6890 Special-Purpose IP Address Registries"
block out log quick on { $wan_if } from { any } to { <RFC6890> } label "DROP: RFC6890 Special-Purpose IP Address Registries"
pass in quick on { $wan_if } inet proto { udp } from { 164.67.62.194 } to { any } port { 123 }
block in quick on { $wan_if } inet proto { udp } from { any } port { 123 } to { any }
block in quick on { $wan_if } inet proto { udp } from { any } to { any } port { 123 }
pass in log quick on { $wan_if } from { <ext_whitelist> } to any keep state label "Permanent whitelist"
pass out log quick on { $wan_if } from any to { <ext_whitelist> } keep state label "Permanent whitelist"
block in log quick on { $wan_if } from { <attacks>, <malware> } to { any } label "FireHOL Threats Database"
block out log quick on { $wan_if } from { any } to { <attacks>, <malware> } label "FireHOL Threats Database"
block in log quick on { $wan_if } proto { tcp } from { !<ext_bgp> } to any port { 179 } label "DROP: Incoming BGP"
block in log quick on { $wan_if } from { <ext_blacklist> } to any label "DROP: Dynamic Block List"
block out log quick on { $wan_if } from any to { <ext_blacklist> } label "DROP: Dynamic Block List"
block in log quick on { $wan_if } from { <sshguard> } to any label "DROP: SSH bruteforce"
block in log quick on { $wan_if } from { <idps_in> } to { any } label "IDPS captured incoming packet"
block out log quick on { $wan_if } from { any } to { <idps_out> } label "IDPS captured outgoing packet"
block log quick on { $wan_if } proto { tcp } from any port { $TCP_DROP } to any label "TCP $srcport"
block log quick on { $wan_if } proto { tcp } from any to any port { $TCP_DROP } label "TCP $dstport"
block log quick on { $wan_if } proto { udp } from any port { $UDP_DROP } to any label "UDP $srcport"
block log quick on { $wan_if } proto { udp } from any to any port { $UDP_DROP } label "UDP $dstport"
block log quick proto { tcp, udp } from any os "Windows" to any port { $WIN_DROP } label "DROP: Windows"
pass quick all