rodrigobaron · July 20, 2011 02:57
diff --git a/pf.conf b/pf.conf
 #Autor: B4R0n
 #Organizacao: geekvigarista.com
 #Agradecimentos: Alexandre, Carlos, C00ler_, D3lf0, Tito, Sexta ... 
 #
 #minha interfaces de rede
 if_ext = "{re0 wlan0}"
 #tabela dos fdp
 table <fdp> persist

 # Nao filtra na interface loopback
 set skip on lo0

 #normaliza o trafego de pacotes, eleminando pacotes mal formados
 scrub all no-df fragment reassemble min-ttl 15 max-mss 1400
 pass out all modulate state (if-bound)
 pass in on $if_ext proto tcp from any to any flags S/SA synproxy state

 #regra para vereficacao de pacotes falsos
 antispoof for $if_ext inet

 #boqueia scans de nmap, default scans portscans e fingerprint scans
 #fingerprint / spoofing
 block in from no-route to any
 block in from urpf-failed to any
 block in quick on $if_ext from any to 255.255.255.255
 #nmap scans
 block in quick on $if_ext proto tcp flags FUP/WEUAPRSF
 block in quick on $if_ext proto tcp flags WEUAPRSF/WEUAPRSF
 block in quick on $if_ext proto tcp flags SRAFU/WEUAPRSF
 block in quick on $if_ext proto tcp flags /WEUAPRSF
 block in quick on $if_ext proto tcp flags SR/SR
 block in quick on $if_ext proto tcp flags SF/SF
 block in quick on $if_ext proto tcp from any to any flags FUP/FUP
 #bloqueia o os scan
 block in log quick on $if_ext from any os "NMAP" to any label ExtNMAPScan

 #limita 6 tentativas de ssh por minuto 
 block in quick from <fdp>
 pass in log inet proto tcp from any to any port ssh flags S/SA synproxy state (max-src-conn-rate 6/60, overload <fdp> flush global)

 #bloqueia requisicoes de ping
 block in inet proto icmp all icmp-type echoreq
	#Autor: B4R0n
	#Organizacao: geekvigarista.com
	#Agradecimentos: Alexandre, Carlos, C00ler_, D3lf0, Tito, Sexta ...
	#
	#minha interfaces de rede
	if_ext = "{re0 wlan0}"
	#tabela dos fdp
	table <fdp> persist

	# Nao filtra na interface loopback
	set skip on lo0

	#normaliza o trafego de pacotes, eleminando pacotes mal formados
	scrub all no-df fragment reassemble min-ttl 15 max-mss 1400
	pass out all modulate state (if-bound)
	pass in on $if_ext proto tcp from any to any flags S/SA synproxy state

	#regra para vereficacao de pacotes falsos
	antispoof for $if_ext inet

	#boqueia scans de nmap, default scans portscans e fingerprint scans
	#fingerprint / spoofing
	block in from no-route to any
	block in from urpf-failed to any
	block in quick on $if_ext from any to 255.255.255.255
	#nmap scans
	block in quick on $if_ext proto tcp flags FUP/WEUAPRSF
	block in quick on $if_ext proto tcp flags WEUAPRSF/WEUAPRSF
	block in quick on $if_ext proto tcp flags SRAFU/WEUAPRSF
	block in quick on $if_ext proto tcp flags /WEUAPRSF
	block in quick on $if_ext proto tcp flags SR/SR
	block in quick on $if_ext proto tcp flags SF/SF
	block in quick on $if_ext proto tcp from any to any flags FUP/FUP
	#bloqueia o os scan
	block in log quick on $if_ext from any os "NMAP" to any label ExtNMAPScan

	#limita 6 tentativas de ssh por minuto
	block in quick from <fdp>
	pass in log inet proto tcp from any to any port ssh flags S/SA synproxy state (max-src-conn-rate 6/60, overload <fdp> flush global)

	#bloqueia requisicoes de ping
	block in inet proto icmp all icmp-type echoreq