# Define macros for each network interface
ext_if = "{ tun0 }"
int_if = "{ rl0 }"
vip_if = "{ rl1 }"
loop = "lo0"
# Define our networks
int_net = "{ 192.168.1.0/24 }"
vip_net = "{ 192.168.2.0/24 }"
noroute = "{ 127.0.0.1/8, 172.16.0.0/12, 10.0.0.0/8, 255.255.255.255/32 }"
ports = "{ 20, 21, 22, 25, 53, 80, 110, 465, 443, 995}"
squid = "{ 127.0.0.1 }"
icmp_types = "echoreq"
allproto = "{ tcp, udp, ipv4, icmp, esp, ipencap }"
bittorent = "{ 2049, 4662, 3076, 5200, 6200, 2223, 6880, 6881, 6882, 6883, 6884, 6885, 6886, 6887, 6888, 6889 ,\
6890, 8880, 8881, 8882, 8883, 8884, 8885, 8886, 8887, 8888, 8889, 8890, 6969, 10700, 21881}"
# Define Tables for SSH
table persist
# Options: tune the behavior of pf, default values are given
set limit states 200000
set limit frags 200000
set limit src-nodes 20000
set block-policy return
set optimization aggressive
set loginterface tun0
set skip on lo0
set require-order yes
set fingerprints "/etc/pf.os"
# Scrub incoming packets
scrub in all
# Define Queue
altq on $ext_if cbq bandwidth 2Mb queue { ftp,mail,http,base }
queue base bandwidth 40% cbq(default)
queue mail bandwidth 35% priority 3 cbq(borrow red)
queue http bandwidth 20% cbq(red)
queue ftp bandwidth 5% cbq(red)
#############
# NAT Rules #
#############
nat on $ext_if from $int_net to any -> $ext_if
nat on $ext_if from $vip_net to any -> $ext_if
#nat on $ext_if from {$vip_net,$int_net} to any -> $ext_if
#####################
# Squid Transparent #
#####################
rdr on $int_if proto tcp from $int_net to any port 80 -> $squid port 3128
###############
# Port Mapping#
###############
rdr on $ext_if proto tcp from any to $ext_if port 81 -> 192.168.2.7 port 80
# Activate spoofing protection for the internal interface.
antispoof quick for $ext_if inet
# Setup a default deny policy
block all
block return
# Security settings
block in quick on $ext_if os NMAP
block drop in quick on $ext_if from $noroute to any
block drop out quick on $ext_if from any to $noroute
# Disable All Kinds of Hack Software
block in quick proto tcp all flags SF/SFRA
block in quick proto tcp all flags FPU/SFRAUP
block in quick proto tcp all flags /SFRA
block in quick proto tcp all flags F/SFRA
block in quick proto tcp all flags U/SFRAU
# sshguard
block in quick on $ext_if proto tcp from to any port 22 label "ssh bruteforce"
# Block some clients to internet and bittorent download
block quick on $ext_if inet proto tcp to port $bittorent label "disable bit"
block quick on $ext_if inet proto tcp from any port $bittorent to any
# Pass ICMP
#pass in inet proto icmp all icmp-type $icmp_types keep state label "allow ping"
# Pass traffic on the loopback interface in either direction
pass quick on $loop all
# Pass traffic on the internal interface in either direction
pass quick on $int_if all
pass quick on $vip_if all
# Allow access local database
#pass in log on $ext_if proto tcp to port 3306 flags S/SA keep state
# Allow SSH to me by tun0
pass in log on $ext_if proto tcp to any port ssh flags S/SA keep state \
( max-src-conn 10, max-src-conn-rate 3/10, overload flush ) label "allow ssh"
# Pass traffic on the external interface in either direction
pass out quick on $ext_if proto { tcp, udp } to any keep state queue base
pass out quick on $ext_if proto tcp from $int_net to any port { 80, 443 } keep state queue http
pass out quick on $ext_if proto tcp from $int_net to any port { 20, 21 } keep state queue ftp
pass out quick on $ext_if proto tcp from $int_net to any port { 25, 110, 465, 995 } keep state queue mail
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if all keep state
阅读(321) | 评论(0) | 转发(0) |
