Created
December 29, 2020 22:46
-
-
Save einyx/3b11b7d944479c567ddcba3f8fab3b8a to your computer and use it in GitHub Desktop.
pf.conf
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## Set your server public IP address ## | |
| ext_if="vio0" | |
| ext_if_ip="" | |
| ## Set and drop these IP ranges on public interface ## | |
| martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \ | |
| 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \ | |
| 0.0.0.0/8, 240.0.0.0/4 }" | |
| webports = "{http, https}" | |
| set reassemble yes no-df | |
| set skip on lo | |
| block return | |
| block out all | |
| # Drop all Non-Routable Addresses | |
| block drop in quick on $ext_if from $martians to any | |
| block drop out quick on $ext_if from any to $martians | |
| ## Blocking spoofed packets | |
| antispoof quick for $ext_if | |
| pass in quick on vio0 inet proto tcp from any to $ext_if_ip port 80 rdr-to 127.0.0.1 port 9091 keep state | |
| pass in quick on vio0 inet proto tcp from any to $ext_if_ip port 443 rdr-to 127.0.0.1 port 9090 | |
| # build user does not need network | |
| block return out log proto {tcp udp} user _pbuild | |
| block drop in log inet proto tcp from any to any port 9100 | |
| block drop in log inet proto tcp from any to any port 64295 | |
| pass in quick inet proto tcp from { } to any port 9100 keep state | |
| pass in quick inet proto tcp from { } to any port 64295 keep state | |
| pass out on $ext_if proto tcp to any port 80 | |
| pass out on $ext_if proto tcp to any port 443 | |
| pass out on $ext_if proto udp to any port 53 keep state | |
| pass out quick on $ext_if proto tcp to any port 123 keep state | |
| pass out on $ext_if proto tcp to 0.0.0.0 port 64295 keep state |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment