Created
May 21, 2017 07:34
-
-
Save un1ko85/05ee9d42dcc6f427d1eaf3272471d5c6 to your computer and use it in GitHub Desktop.
pf.conf freebsd kiev server
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #### First declare a couple of variables #### | |
| ### Outgoing tcp / udp port #### | |
| ### 43 - whois, 22 - ssh ### | |
| tcp_services = "{ ssh, smtp, domain, www, https, 22, ntp, 43, 587}" | |
| udp_services = "{ domain, ntp }" | |
| ### allow ping / pong #### | |
| icmp_types = "{ echoreq, unreach }" | |
| ### Allow IP | |
| enabled_ip = "{ 188.231.230.23, 188.231.222.49, 134.249.151.49 }" | |
| set limit tables 5000 # default 1000 | |
| set limit table-entries 5000000 # default 100000 | |
| #### define tables. add all subnets and ips to block | |
| table <blockedip> persist file "/etc/pf.block.ip.conf" | |
| table <ssh-bruteforce> persist | |
| table <fail2ban> persist | |
| martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 }" | |
| # connected to internet | |
| ext_if = "igb0" | |
| #### Normalization | |
| #scrub provides a measure of protection against certain kinds of attacks based on incorrect handling of packet fragments | |
| scrub in all | |
| # Drop incoming everything | |
| block in all | |
| block return | |
| # keep stats of outgoing connections | |
| pass out keep state | |
| # unlimited traffic for loopback | |
| set skip on {lo0} | |
| # activate spoofing protection for all interfaces | |
| block in quick from urpf-failed | |
| #antispoof is a common special case of filtering and blocking. This mechanism protects against activity from spoofed or forged IP addresses | |
| antispoof log for $ext_if | |
| #Block RFC 1918 addresses | |
| # block drop in log (all) quick on $ext_if from $martians to any | |
| # block drop out log (all) quick on $ext_if from any to $martians | |
| # Block all ips | |
| # pfctl -t blockedip -T show | |
| block drop in log (all) quick on $ext_if from <blockedip> to any | |
| # block drop out log (all) quick on $ext_if from any to <blockedip> | |
| block drop in log (all) quick on $ext_if from <ssh-bruteforce> to any | |
| block drop out log (all) quick on $ext_if from any to <ssh-bruteforce> | |
| block drop in log (all) quick on $ext_if from <fail2ban> to any | |
| block drop out log (all) quick on $ext_if from any to <fail2ban> | |
| # allow outgoing | |
| pass out on $ext_if proto tcp to any port $tcp_services | |
| pass out on $ext_if proto udp to any port $udp_services | |
| # Allow trace route | |
| pass out on $ext_if inet proto udp from any to any port 33433 >< 33626 keep state | |
| # Allow incoming ssh, http, bind traffic | |
| # pass in on $ext_if proto tcp from any to any port 25 | |
| pass in on $ext_if proto tcp from any to any port ssh flags S/SA keep state \ | |
| (max-src-conn-rate 3/60, overload <ssh-bruteforce> flush global) | |
| #pass in on $ext_if proto tcp from $enabled_ip to any | |
| pass in on $ext_if proto udp from any to any port domain | |
| pass in on $ext_if proto tcp from any to any port domain flags S/SA synproxy state | |
| pass in on $ext_if proto tcp from any to any port { www https } flags S/SA keep state \ | |
| (max-src-conn 400, max-src-conn-rate 400/1, overload <blockedip> flush global) | |
| pass in on $ext_if proto tcp from $enabled_ip to any | |
| pass inet proto icmp all icmp-type $icmp_types keep state | |
| ## add your rule below ## |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment