############################## # General configuration for pf ############################## set hostid 0xfacff780 set state-policy if-bound set limit table-entries 1000000 set optimization normal set limit states 389000 set limit src-nodes 389000 ############################## # Aliases used by the firewall ############################## # System-defined aliases for interfaces loopback = "{ lo0 }" WAN = "{ igc3 }" table persist { 100.40.118.0/24 } WAN__NETWORK = "" LAN = "{ igc2 }" table persist { 192.168.1.0/24 } LAN__NETWORK = "" IPsec = "{ enc0 }" table persist { } ENC0__NETWORK = "" WireGuard = "{ WireGuard }" table persist { } WIREGUARD__NETWORK = "" # System-defined aliases available to the user table persist file "/etc/bogons" bogons = "" table persist file "/etc/bogons" bogons = "" #SSH Lockout Table table persist #Snort tables table table _nexus_vpn_port_ = "{ }" table { 192.168.2.0/24 ----- } table { 192.168.2.0/24 ----- } table <_loopback4_> { 127.0.0.0/8 } _loopback4_ = "<_loopback4_>" table <_loopback6_> { ::1/128 } _loopback6_ = "<_loopback6_>" table <_loopback46_> { 127.0.0.0/8 ::1/128 } _loopback46_ = "<_loopback46_>" table <_linklocal4_> { 169.254.0.0/16 } _linklocal4_ = "<_linklocal4_>" table <_linklocal6_> { fe80::/10 } _linklocal6_ = "<_linklocal6_>" table <_linklocal46_> { 169.254.0.0/16 fe80::/10 } _linklocal46_ = "<_linklocal46_>" table <_private4_> { 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 } _private4_ = "<_private4_>" table <_private6_> { fc00::/7 } _private6_ = "<_private6_>" table <_private46_> { 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 fc00::/7 } _private46_ = "<_private46_>" table <_multicast4_> { 224.0.0.0/4 } _multicast4_ = "<_multicast4_>" table <_multicast6_> { ff00::/8 } _multicast6_ = "<_multicast6_>" table <_multicast46_> { 224.0.0.0/4 ff00::/8 } _multicast46_ = "<_multicast46_>" table <_reserved4_> { 0.0.0.0/8 10.0.0.0/8 100.64.0.0/10 127.0.0.0/8 169.254.0.0/16 172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 192.88.99.0/24 192.168.0.0/16 198.18.0.0/15 198.51.100.0/24 203.0.113.0/24 224.0.0.0/4 240.0.0.0/4 255.255.255.255/32 } _reserved4_ = "<_reserved4_>" table <_reserved6_> { ::1/128 ::/128 ::ffff:0:0/96 64:ff9b::/96 64:ff9b:1::/48 100::/64 2001::/23 2001:2::/48 2001:db8::/32 2002::/16 3fff::/20 5f00::/16 fc00::/7 fe80::/10 ff00::/8 } _reserved6_ = "<_reserved6_>" table <_reserved46_> { 0.0.0.0/8 10.0.0.0/8 100.64.0.0/10 127.0.0.0/8 169.254.0.0/16 172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 192.88.99.0/24 192.168.0.0/16 198.18.0.0/15 198.51.100.0/24 203.0.113.0/24 224.0.0.0/4 240.0.0.0/4 255.255.255.255/32 ::1/128 ::/128 ::ffff:0:0/96 64:ff9b::/96 64:ff9b:1::/48 100::/64 2001::/23 2001:2::/48 2001:db8::/32 2002::/16 3fff::/20 5f00::/16 fc00::/7 fe80::/10 ff00::/8 } _reserved46_ = "<_reserved46_>" table <_nat64reserved_> { 64:ff9b::0/104 64:ff9b::a00:0/104 64:ff9b::6440:0/106 64:ff9b::7f00:0/104 64:ff9b::a9fe:0/112 64:ff9b::ac10:0/108 64:ff9b::c000:0/120 64:ff9b::c000:200/120 64:ff9b::c058:6300/120 64:ff9b::c0a8:0/112 64:ff9b::c612:0/111 64:ff9b::c633:6400/120 64:ff9b::cb00:7100/120 64:ff9b::e000:0/100 64:ff9b::f000:0/100 64:ff9b::ffff:ffff/128 } _nat64reserved_ = "<_nat64reserved_>" # User-defined aliases UDP_Game_Ports = "{ 4950 4955 3659 5795:5847 7777 14001 }" # System gateways GWWAN_DHCP = " route-to ( igc3 a.b.c.d ) " ########################################## # Interfaces used with pf stats collection ########################################## set loginterface igc2 ################################# # Interfaces without pf filtering ################################# set skip on pfsync0 ############################################ # Preserve rule counters across rule updates ############################################ set keepcounters ########################################## # Required rules for traffic normalization ########################################## scrub from any to no-df fragment reassemble scrub from to any no-df fragment reassemble scrub on $WAN inet all no-df random-id fragment reassemble scrub on $WAN inet6 all no-df random-id fragment reassemble scrub on $LAN inet all no-df random-id fragment reassemble scrub on $LAN inet6 all no-df random-id fragment reassemble ####################################### # Rules for Network Address Translation ####################################### no nat proto carp no rdr proto carp nat-anchor "natearly/*" nat-anchor "natrules/*" # Outbound NAT rules (manual) nat on $WAN inet proto udp from 192.168.1.0/24 port $UDP_Game_Ports to any -> a.b.c.d50/32 static-port # Warframe forward # Outbound NAT rules (automatic) # Subnets to NAT tonatsubnets = "{ 127.0.0.0/8 ::1/128 192.168.1.0/24 192.168.2.0/24 }" nat on $WAN inet from $tonatsubnets to any port 500 -> a.b.c.d50/32 static-port nat on $WAN inet6 from $tonatsubnets to any port 500 -> (igc3) static-port nat on $WAN inet from $tonatsubnets to any -> a.b.c.d50/32 port 1024:65535 nat on $WAN inet6 from $tonatsubnets to any -> (igc3) port 1024:65535 # NAT rules for the TFTP Proxy service rdr-anchor "tftp-proxy/*" ################################# # Extra rules from OpenVPN RADIUS ################################# anchor "openvpn/*" ############################### # Extra rules from IPsec RADIUS ############################### anchor "ipsec/*" ################################# # Rules to block all IPv6 packets ################################# # Allow IPv6 on loopback pass in quick on $loopback inet6 all ridentifier 1000000001 label "descr=pass IPv6 loopback" pass out quick on $loopback inet6 all ridentifier 1000000002 label "descr=pass IPv6 loopback" # Block all IPv6 block in log quick inet6 all ridentifier 1000000003 label "descr=Block all IPv6" block out log quick inet6 all ridentifier 1000000004 label "descr=Block all IPv6" ################################################################ # Rules to block NAT64 translation for non-global IPv4 addresses ################################################################ block in log quick inet6 from any to <_nat64reserved_> ridentifier 1000000005 label "descr=Block NAT64 for non-global IPv4" block out log quick inet6 from any to <_nat64reserved_> ridentifier 1000000006 label "descr=Block NAT64 for non-global IPv4" ######################################## # Rules to block IPv4 link-local packets ######################################## # Block IPv4 link-local. Per RFC 3927, link local "MUST NOT" be forwarded by # a routing device, and clients "MUST NOT" send such packets to a router. # FreeBSD won't route 169.254./16, but route-to can override that, causing # problems such as in redmine #2073 block in quick from 169.254.0.0/16 to any ridentifier 1000000101 label "descr=Block IPv4 link-local" block in quick from any to 169.254.0.0/16 ridentifier 1000000102 label "descr=Block IPv4 link-local" ##################################################### # Required rules for the default-deny filter behavior ##################################################### block in log inet all ridentifier 1000000103 label "descr=Default deny rule IPv4" label "tags=ruleset:871d3623256b8b52" block out log inet all ridentifier 1000000104 label "descr=Default deny rule IPv4" label "tags=ruleset:871d3623256b8b52" block in log inet6 all ridentifier 1000000105 label "descr=Default deny rule IPv6" label "tags=ruleset:871d3623256b8b52" block out log inet6 all ridentifier 1000000106 label "descr=Default deny rule IPv6" label "tags=ruleset:871d3623256b8b52" ######################################### # Rules to drop invalid packets on port 0 ######################################### # We use the mighty pf, we cannot be fooled. block log quick inet proto { tcp, udp } from any port = 0 to any ridentifier 1000000107 label "descr=Block traffic from port 0" block log quick inet proto { tcp, udp } from any to any port = 0 ridentifier 1000000108 label "descr=Block traffic to port 0" ################################################ # Rules to block packets matched by IDS packages ################################################ block quick from to any ridentifier 1000000109 label "descr=Block snort2c hosts" block quick from any to ridentifier 1000000110 label "descr=Block snort2c hosts" ####################################################### # Rules for blocklisted hosts accessing the SSH service ####################################################### block in log quick proto tcp from to (self) port 22 ridentifier 1000000301 label "descr=sshguard" ################################################## # Rules for blocklisted hosts accessing the WebGUI ################################################## block in log quick proto tcp from to (self) port 443 ridentifier 1000000351 label "descr=GUI Lockout" ####################################################### # Rules to block packets matched by anti-virus packages ####################################################### block in log quick from to any ridentifier 1000000400 label "descr=virusprot overload table" ################################################# # Rules to prevent DHCP leaks in multi-WAN setups ################################################# block out quick proto udp from any port = 67 to any port = 68 tagged "dhcpin" ridentifier 1000000451 label "descr=Prevent routing dhcp responses" ######################### # Default interface rules ######################### # allow our DHCP client out to the WAN pass in quick on $WAN proto udp from any port = 67 to any port = 68 tag "dhcpin" no state ridentifier 1000000461 label "descr=allow dhcp replies in WAN" pass out quick on $WAN proto udp from any port = 68 to any port = 67 no state ridentifier 1000000462 label "descr=allow dhcp client out WAN" # Not installing DHCP server firewall rules for WAN which is configured for DHCP. # block bogon networks (IPv4) # https://www.team-cymru.org/Services/Bogons/bogon-bn-nonagg.txt block in log quick on $WAN from to any ridentifier 11001 label "descr=block bogon IPv4 networks from WAN" # Required rules for antispoof protection antispoof log for $WAN ridentifier 1000001470 # block anything from private networks on interfaces with the option set block in log quick on $WAN from 10.0.0.0/8 to any ridentifier 12001 label "descr=Block private networks from WAN block 10/8" block in log quick on $WAN from 127.0.0.0/8 to any ridentifier 12002 label "descr=Block private networks from WAN block 127/8" block in log quick on $WAN from 172.16.0.0/12 to any ridentifier 12003 label "descr=Block private networks from WAN block 172.16/12" block in log quick on $WAN from 192.168.0.0/16 to any ridentifier 12004 label "descr=Block private networks from WAN block 192.168/16" block in log quick on $WAN from fc00::/7 to any ridentifier 12005 label "descr=Block ULA networks from WAN block fc00::/7" # Required rules for antispoof protection antispoof log for $LAN ridentifier 1000002520 # allow access to DHCP server on LAN pass in quick on $LAN proto udp from any port = 68 to 255.255.255.255 port = 67 ridentifier 1000002541 label "descr=allow access to DHCP server" pass in quick on $LAN proto udp from any port = 68 to 192.168.1.1 port = 67 ridentifier 1000002542 label "descr=allow access to DHCP server" pass out quick on $LAN proto udp from 192.168.1.1 port = 67 to any port = 68 ridentifier 1000002543 label "descr=allow access to DHCP server" ##################################### # Required rules for loopback traffic ##################################### pass in on $loopback inet all ridentifier 1000004661 label "descr=pass IPv4 loopback" pass out on $loopback inet all ridentifier 1000004662 label "descr=pass IPv4 loopback" ########################################################## # Required rules for traffic from the firewall host itself ########################################################## pass out inet all keep state allow-opts ridentifier 1000004663 label "descr=let out anything IPv4 from firewall host itself" pass out route-to ( igc3 a.b.c.d ) from a.b.c.d50 to !100.40.118.0/24 ridentifier 1000004761 keep state allow-opts label "descr=let out anything from firewall host itself" ############################################ # Required rules for IPsec host connectivity ############################################ pass out on $IPsec all ridentifier 1000005061 ridentifier 1000005062 keep state label "descr=IPsec internal host to host" ####################################################### # Rules to prevent accidental lockout from the firewall ####################################################### pass in quick on igc2 proto tcp from any to (igc2) port { 443 80 22 } ridentifier 10001 keep state label "descr=anti-lockout rule" ####################### # Anchor for user rules ####################### anchor "userrules/*" ################################################ # User rules for system-defined interface groups ################################################ # array key "l2tp" does not exist for "" in array: {WAN LAN IPsec WireGuard } # Rules for IPsec pass in quick on $IPsec inet from any to any ridentifier 1484768846 keep state (max-src-states 8192) label "id=1484768846" label "tags=user_rule" label "descr=IPSec allow all default" # array key "openvpn" does not exist for "OpenVPN First Try wizard" in array: {WAN LAN IPsec WireGuard } ##################################### # Interface rules defined by the user ##################################### # Rules for LAN block in log quick on $LAN inet proto { tcp udp } from $LAN__NETWORK to !(self) port 53 ridentifier 1765227474 label "id=1765227474" label "tags=user_rule" label "descr=Outside DNS block" block in log quick on $LAN inet proto { tcp udp } from $LAN__NETWORK to !(self) port 853 ridentifier 1765227499 label "id=1765227499" label "tags=user_rule" label "descr=Outside DNSoverTLS block" pass in quick on $LAN inet from $LAN__NETWORK to any ridentifier 0100000101 keep state (max-src-states 8192) label "id=0100000101" label "tags=user_rule" label "descr=Default allow LAN to any rule" ############################# # Rules for the IPsec service ############################# pass in on $WAN reply-to ( igc3 a.b.c.d ) proto udp from any to (self) port = 500 ridentifier 1000105201 keep state label "descr=IPsec: Mobile P1 - inbound isakmp" pass in on $WAN reply-to ( igc3 a.b.c.d ) proto udp from any to (self) port = 4500 ridentifier 1000105202 keep state label "descr=IPsec: Mobile P1 - inbound nat-t" pass in on $WAN reply-to ( igc3 a.b.c.d ) proto esp from any to (self) ridentifier 1000105203 keep state label "descr=IPsec: Mobile P1 - inbound esp proto" pass out route-to ( igc3 a.b.c.d ) proto udp from (self) to 204.9.221.253 port = 500 ridentifier 1000105214 keep state label "descr=IPsec: test for CIC - outbound isakmp" pass in on $WAN reply-to ( igc3 a.b.c.d ) proto udp from 204.9.221.253 to (self) port = 500 ridentifier 1000105215 keep state label "descr=IPsec: test for CIC - inbound isakmp" pass out route-to ( igc3 a.b.c.d ) proto udp from (self) to 204.9.221.253 port = 4500 ridentifier 1000105216 keep state label "descr=IPsec: test for CIC - outbound nat-t" pass in on $WAN reply-to ( igc3 a.b.c.d ) proto udp from 204.9.221.253 to (self) port = 4500 ridentifier 1000105217 keep state label "descr=IPsec: test for CIC - inbound nat-t" pass out route-to ( igc3 a.b.c.d ) proto esp from (self) to 204.9.221.253 ridentifier 1000105218 keep state label "descr=IPsec: test for CIC - outbound esp proto" pass in on $WAN reply-to ( igc3 a.b.c.d ) proto esp from 204.9.221.253 to (self) ridentifier 1000105219 keep state label "descr=IPsec: test for CIC - inbound esp proto" ################################## # Rules for the TFTP Proxy service ################################## anchor "tftp-proxy/*"