LaurentFough · April 14, 2021 23:03
diff --git a/pf.conf b/pf.conf
 #       $OpenBSD: pf.conf,v 1.52 2013/02/13 23:11:14 halex Exp $
 #
 # See pf.conf(5) for syntax and examples.
 #
 # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
 # in /etc/sysctl.conf if packets are to be forwarded between interfaces.

 ### Macros

 # system

 ext_if = "em0"
 ext_if_inet = "10.0.2.15"
 ext_if_inet6 = "2607:f700:1234:2::15"

 int_if = "em1"
 int_if_inet = "10.0.3.15"
 int_if_inet6 = "2607:f700:abcd:3::1"

 # networks

 int_inet_net = "10.0.3.0/24"
 int_inet6_net = "2607:f700:abcd:3::/64"

 # hosts

 bastion_int_inet = "10.0.3.11"

 app_int_inet = "10.0.3.21"
 app_ext_inet = "208.87.29.16"

 # other

 icmp_types="echoreq"

 ### Tables

 # black holes
 table <bruteforce> persist
 table <abusivehosts> persist

 # extremely trusted hosts
 table <trusted_hosts_inet> persist file "/etc/pf/trusted_hosts_inet"
 table <trusted_hosts_inet6> persist file "/etc/pf/trusted_hosts_inet6"

 ### Policies

 ## sane default options
 # http://www.openbsd.org/faq/pf/options.html

 # only generate debug messages for serious errors
 set debug urgent

 # gather statistics for interface 
 # can only do one, may be expensive
 set loginterface em0

 # built-in optimizations for network environment
 set optimization normal

 # increase the default state limit from 10,000 on busy systems
 # set limit states 100000

 # dropping is less expensive than rejecting
 set block-policy drop

 # provide some protection against address spoofing
 antispoof quick for { lo0 $int_if $ext_if } 

 # don't filter loopback
 set skip on lo0


 # default block policy
 block log

 # block undesired traffic up-front
 anchor "blacklist" {

  # block rate-limited bad actors
  block quick log from { <bruteforce> <abusivehosts> }

  # block unwanted services
  block quick log on { $int_if $ext_if } \
    proto {tcp, udp} \
    from any to any port { 111 67 }

 }

 # scrub incoming packets
 # no-df is so scrubbing plays nice with NFS, 
 # which is known to generate fragmented packets
 # with the don't-fragment bit set... ;
 # random-id is used due to some OS's rather
 # pathetically predictable (zero) id headers
 # this is only for improved security, though, 
 # so if it seems like it may be causing issues, 
 # feel free to pull it
 match in all scrub (no-df random-id)

 # provide outbound nat for permitted traffic
 # but hold off on nat-ing until explicitly passed
 match out on $ext_if from $int_inet_net to any \
  nat-to $ext_if_inet

 ## start poking holes

 # Permit rate-limited ICMP
 pass inet proto icmp all icmp-type $icmp_types \
  keep state (max-src-conn-rate 6/4, overload <abusivehosts> flush global)
 pass inet6 proto icmp6 all icmp6-type $icmp_types \
  keep state (max-src-conn-rate 6/4, overload <abusivehosts> flush global)

 # Allow *very* trusted hosts
 anchor "whitelist" {

  pass out quick log on $ext_if from { $ext_if_inet, $ext_if_inet6 }
  pass in quick log on $ext_if inet from <trusted_hosts_inet>
  pass in quick log on $ext_if inet6 from <trusted_hosts_inet6>

 }

 anchor "proxies" {

  # Port forward for bastion and prevent brute-forcing of SSHD
  pass in log on $ext_if proto tcp from any \
    to $ext_if_inet port 2222 flags S/SA synproxy state \
    (max-src-conn 40, max-src-conn-rate 5/10, \
    overload <bruteforce> flush global) \
    rdr-to $bastion_int_inet port 22

 }

 anchor "nats" {
  anchor "inbound" {
    # 1:1 NAT
    pass quick log on $ext_if from $app_int_inet binat-to $app_ext_inet
  }
  anchor "outbound" {
    # Outbound SNAT
    pass out log on $ext_if from $int_inet_net nat-to $ext_if_inet
  }
 }

 ### End Rules
 #
 # Comments
 # 
 # One of the confusing things about pf is that the rules are
 # applied as "last matching rule wins", which is counter-intuitive
 # for any who learned packet filtering on Linux.
 #
 # The exception to this rule is the use of the "quick" keyword,
 # which has the effect of cancelling any further rule-processing.
 #
 # This ruleset is designed to exercise a lot of the core concepts of 
 # pf (macros, tables, anchors and syntax) while providing a reasonable
 # default gateway configuration. None of this is gospel best-practice,
 # and adaptation to best suit the environment in which it is deployed
 # is highly encouraged.
 #
	# $OpenBSD: pf.conf,v 1.52 2013/02/13 23:11:14 halex Exp $
	#
	# See pf.conf(5) for syntax and examples.
	#
	# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
	# in /etc/sysctl.conf if packets are to be forwarded between interfaces.

	### Macros

	# system

	ext_if = "em0"
	ext_if_inet = "10.0.2.15"
	ext_if_inet6 = "2607:f700:1234:2::15"

	int_if = "em1"
	int_if_inet = "10.0.3.15"
	int_if_inet6 = "2607:f700:abcd:3::1"

	# networks

	int_inet_net = "10.0.3.0/24"
	int_inet6_net = "2607:f700:abcd:3::/64"

	# hosts

	bastion_int_inet = "10.0.3.11"

	app_int_inet = "10.0.3.21"
	app_ext_inet = "208.87.29.16"

	# other

	icmp_types="echoreq"

	### Tables

	# black holes
	table <bruteforce> persist
	table <abusivehosts> persist

	# extremely trusted hosts
	table <trusted_hosts_inet> persist file "/etc/pf/trusted_hosts_inet"
	table <trusted_hosts_inet6> persist file "/etc/pf/trusted_hosts_inet6"

	### Policies

	## sane default options
	# http://www.openbsd.org/faq/pf/options.html

	# only generate debug messages for serious errors
	set debug urgent

	# gather statistics for interface
	# can only do one, may be expensive
	set loginterface em0

	# built-in optimizations for network environment
	set optimization normal

	# increase the default state limit from 10,000 on busy systems
	# set limit states 100000

	# dropping is less expensive than rejecting
	set block-policy drop

	# provide some protection against address spoofing
	antispoof quick for { lo0 $int_if $ext_if }

	# don't filter loopback
	set skip on lo0


	# default block policy
	block log

	# block undesired traffic up-front
	anchor "blacklist" {

	# block rate-limited bad actors
	block quick log from { <bruteforce> <abusivehosts> }

	# block unwanted services
	block quick log on { $int_if $ext_if } \
	proto {tcp, udp} \
	from any to any port { 111 67 }

	}

	# scrub incoming packets
	# no-df is so scrubbing plays nice with NFS,
	# which is known to generate fragmented packets
	# with the don't-fragment bit set... ;
	# random-id is used due to some OS's rather
	# pathetically predictable (zero) id headers
	# this is only for improved security, though,
	# so if it seems like it may be causing issues,
	# feel free to pull it
	match in all scrub (no-df random-id)

	# provide outbound nat for permitted traffic
	# but hold off on nat-ing until explicitly passed
	match out on $ext_if from $int_inet_net to any \
	nat-to $ext_if_inet

	## start poking holes

	# Permit rate-limited ICMP
	pass inet proto icmp all icmp-type $icmp_types \
	keep state (max-src-conn-rate 6/4, overload <abusivehosts> flush global)
	pass inet6 proto icmp6 all icmp6-type $icmp_types \
	keep state (max-src-conn-rate 6/4, overload <abusivehosts> flush global)

	# Allow very trusted hosts
	anchor "whitelist" {

	pass out quick log on $ext_if from { $ext_if_inet, $ext_if_inet6 }
	pass in quick log on $ext_if inet from <trusted_hosts_inet>
	pass in quick log on $ext_if inet6 from <trusted_hosts_inet6>

	}

	anchor "proxies" {

	# Port forward for bastion and prevent brute-forcing of SSHD
	pass in log on $ext_if proto tcp from any \
	to $ext_if_inet port 2222 flags S/SA synproxy state \
	(max-src-conn 40, max-src-conn-rate 5/10, \
	overload <bruteforce> flush global) \
	rdr-to $bastion_int_inet port 22

	}

	anchor "nats" {
	anchor "inbound" {
	# 1:1 NAT
	pass quick log on $ext_if from $app_int_inet binat-to $app_ext_inet
	}
	anchor "outbound" {
	# Outbound SNAT
	pass out log on $ext_if from $int_inet_net nat-to $ext_if_inet
	}
	}

	### End Rules
	#
	# Comments
	#
	# One of the confusing things about pf is that the rules are
	# applied as "last matching rule wins", which is counter-intuitive
	# for any who learned packet filtering on Linux.
	#
	# The exception to this rule is the use of the "quick" keyword,
	# which has the effect of cancelling any further rule-processing.
	#
	# This ruleset is designed to exercise a lot of the core concepts of
	# pf (macros, tables, anchors and syntax) while providing a reasonable
	# default gateway configuration. None of this is gospel best-practice,
	# and adaptation to best suit the environment in which it is deployed
	# is highly encouraged.
	#