forked from vedetta-com/vedetta
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathpf.conf
407 lines (349 loc) · 10.6 KB
/
pf.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
# $OpenBSD: pf.conf,v 1.55 2017/12/03 20:40:04 sthen Exp $
#
# See pf.conf(5) and /etc/examples/pf.conf
# read the log file: tcpdump -n -e -ttt -r /var/log/pflog
# real-time logging: tcpdump -neq -ttt -i pflog0
# tcpdump -nettti pflog0 action drop
# tcpdump -vvopn -i enc0
# show queue: pfctl -vvs queue
# systat queues
# show stats: pfctl -s info
# systat pf
# show states: pfctl -s states
# systat states
# table stats: pfctl -v -t martians -T show
# show rule nr. 4: pfctl -v -s rules -R 4
# show rules, prepend rule numbers: pfctl -a '*' -vvsr
# systat rules
# show limits: pfctl -s memory
# https://www.iana.org/assignments/iana-ipv4-special-registry/
# https://www.iana.org/assignments/iana-ipv6-special-registry/
table <martians> const persist counters file "/etc/pf.conf.table.martians"
# Full access table (for test)
table <knownhosts> persist counters {}
# Enable with: touch /etc/authpf/authpf.conf
table <authpf_users> persist counters
# Bad hosts
table <ban> persist counters file "/etc/pf.conf.table.ban"
# Update the adhosts IP list every month (!) see var/cron/tabs/root
table <adhosts> persist counters file "/etc/pf.adhosts"
# Update the malware IP list every month (!) see var/cron/tabs/root
table <malware> persist counters file "/etc/pf.malware"
# Scheduled access for "etc/pf.schedule" (!) see var/cron/tabs/root
# https://marc.info/?l=openbsd-misc&m=149160678428354&w=2
table <schedule> persist counters
# relayd
include "/etc/pf.conf.macro.relayd" # relayd and fallback IP
table <relay> persist counters { $rly_IPv4 $rly_IPv6 }
table <httpfilter> persist counters {}
table <tlsinspect> persist counters {}
# Message submission agent (MSA)
table <msa> persist counters file "/etc/pf.conf.table.msa"
# Options
set loginterface egress
set optimization normal
set block-policy drop
set syncookies adaptive (start 25%, end 12%)
set skip on { lo0 }
# Queue - HFSC with FQ-CoDel (reduce bufferbloat and achieve fairness)
# (!) specify the upper bound within 90-95% of the expected bandwidth (bit/s)
# (!) raise the default queue limit from 50 to 1024 (1:1 ratio with flows)
queue outq on em0 bandwidth 9M max 9M flows 1024 qlimit 1024 default # 10Mb/s Up
# Sanitizing packet content
# no-df + random-id = unique IP identifiers
# max-mss must match net.inet.tcp.mssdflt in /etc/sysctl.conf
anchor "scrub" in {
match in all scrub (no-df random-id max-mss 1440)
}
# NAT
anchor "nat" out on egress inet tagged LAN_INET {
match out log \
nat-to (egress:0) port 1024:65535 \
tag LAN_INET_NAT
}
# Classification -- classify packets based on the defined firewall policy.
# Block spoofed traffic
# http://man.openbsd.org/pf.conf#Blocking_Spoofed_Traffic
antispoof log quick for { (egress) lo0 (enc) (tun) (vether) (tap) (vlan) (svlan) }
antispoof log for { (lan) (wlan) } # why not quick? We allow them on enc
# Block undesirable traffic
anchor "block/all"
anchor "block/in-quick-scan" in proto tcp
anchor "block/in-quick-bad" in on egress
anchor "block/out-quick-bad" out on egress
load anchor "block" from "/etc/pf.conf.anchor.block"
anchor "external" on egress {
anchor out {
# Outbound inet from LAN
anchor "inet" inet tagged LAN_INET_NAT {
pass log
}
# Outbound inet6 from LAN
anchor "inet6" inet6 tagged LAN6_INET6 {
pass log
}
# Outbound from self
anchor "self" proto { ipv6 tcp udp } from (egress) {
# DOMAIN
pass log (user) proto { tcp udp } \
to port domain \
user { _unbound root } \
tag SELF_INET
# NTP
pass log (user) proto udp \
to port ntp \
user { _ntp root } \
tag SELF_INET
# DHCP
pass log (user) proto udp \
from port bootpc to port bootps \
tag SELF_INET
# DHCPv6
# pass log inet6 proto udp \
# from port dhcpv6-client to ff02::1:2 port dhcpv6-server \
# tag SELF_INET
# HTTP and HTTPS
pass log (user) proto tcp \
to port { http https } \
group { _ntp _pfetch _pkgfetch _relayd _syspatch wheel } \
tag SELF_INET
# FTP
pass log (user) proto tcp \
to port ftp \
group _ftp_proxy
# MSA
pass log proto tcp \
to <msa> port submission \
user _smtpd \
tag SELF_INET
# SSH and WHOIS
pass log (user) proto tcp \
to port { ssh whois } \
group wheel \
tag SELF_INET
# IPv6 HE.net (6in4)
pass log proto ipv6 \
to 216.66.38.58 \
keep state (if-bound)
}
}
# Inbound
anchor in proto { ipv6 tcp udp } to (egress) {
# IPv6 HE.net (6in4)
pass log proto ipv6 \
from 216.66.38.58 \
keep state (if-bound)
# DHCPv6
# pass log inet6 proto udp \
# to port dhcpv6-client \
# tag INET_SELF
# relayd HTTP layer7 TLS acceleration
# Avoid interface certificate for egress (split IPv4/6 for redirect)
pass in log inet proto tcp \
to port https rdr-to <relay> \
tag INET_SELF
pass in log inet6 proto tcp \
to port https rdr-to <relay> \
tag INET_SELF
# relayd TCP layer7 SSH gateway
# Scheduled access for "etc/pf.schedule" (!) see var/cron/tabs/root
# https://marc.info/?l=openbsd-misc&m=149160678428354&w=2
pass log proto tcp \
from <schedule> to port 2222 \
keep state (max-src-conn-rate 100/10) \
label schedule \
tag INET_SELF
# Allow traceroute
# pass in log proto udp \
# to port { 33435:33525 } \
# keep state (max 32) \
# tag INET_SELF
}
} # end "external"
# Relay daemon
anchor "relayd/*"
anchor "relayd_layer3" tagged RELAYD {
pass log
anchor "relayd_layer3_vpn" on { enc tun } {
pass log keep state (if-bound)
}
}
# Trivial File Transfer Protocol proxy
anchor "tftp-proxy/*"
# Secure forward ftp proxy
# http://man.openbsd.org/ftp-proxy
anchor "ftp-proxy/*"
pass log tagged FTP_PROXY
pass log tagged FTP_PROXY6
# Anchor rules for various authenticated peers
# all child anchors (/*) within authpf anchor (loaded from
# /etc/authpf/users/$USER/authpf.rules) will be evaluated
anchor "authpf/*" from <authpf_users>
match inet tagged AUTHPF_INET tag LAN_INET
match inet6 tagged AUTHPF_INET tag LAN6_INET6
anchor "internal" on { lan wlan enc tun } proto { tcp udp } {
# Inbound
anchor in {
# DHCPv6 Server for DNS requests (!) see etc/rtadvd.conf
anchor inet6 proto udp from port dhcpv6-client to port dhcpv6-server {
pass log from fe80::/10 to ff02::1:2
anchor on { enc tun } {
pass log from fe80::/10 to ff02::1:2 keep state (if-bound)
}
}
# Incoming traffic from trusted peers to LAN (VPN:network hack)
anchor from { <knownhosts> <authpf_users> } to { (self:network) (tun)/24 (enc)/64 (enc)/24 } {
anchor ! tagged VPN {
pass log proto { tcp udp } tag LAN
}
anchor tagged VPN {
pass log proto { tcp udp } keep state (if-bound) tag LAN
}
}
# Incoming traffic from trusted peers to LAN_INET
anchor from <knownhosts> ! tagged LAN {
# nested tag check
anchor ! tagged VPN {
pass log proto { tcp udp } tag LAN_INET
}
anchor tagged VPN {
pass log proto { tcp udp } keep state (if-bound) tag LAN_INET
}
}
# ftp for trusted peers
anchor proto tcp to port ftp tagged LAN_INET {
pass log inet \
divert-to $fb1_IPv4 port 8021 \
tag LAN_SELF
pass log inet6 \
divert-to $fb1_IPv6 port 8021 \
tag LAN6_SELF6
}
# and guests
# tftp-proxy (split IPv4/6)
anchor on { lan wlan } proto udp to <relay> port tftp {
pass log inet \
divert-to lo0 port 6969 \
tag LAN_SELF
pass log inet6 \
divert-to lo0 port 6969 \
tag LAN6_SELF6
}
# relayd UDP layer3 NTP redirect
# Allow devices with hardcoded ntp servers to get local time (split IPv4/6)
anchor proto udp to ! <relay> port ntp {
pass in log inet \
rdr-to <relay> port ntp \
tag RELAYD
pass in log inet6 \
rdr-to <relay> port ntp \
tag RELAYD
}
# relayd DNS layer7 DNS-sanitizing proxy
anchor proto udp to <relay> port domain {
anchor ! tagged VPN {
pass log tag LAN_SELF
}
anchor tagged VPN {
pass log keep state (if-bound)
}
}
# relayd TCP layer7 SSH gateway
anchor proto tcp to <relay> port 2222 {
anchor ! tagged VPN {
pass log tag LAN_SELF
}
anchor tagged VPN {
pass log keep state (if-bound)
}
}
# ssh to LAN_SELF
anchor proto tcp to (vether0) port ssh {
anchor ! tagged VPN {
pass log tag LAN_SELF
}
anchor tagged VPN {
pass log keep state (if-bound)
}
}
# relayd HTTP layer7 TLS acceleration
anchor proto tcp to <relay> port https {
anchor ! tagged VPN {
pass log tag LAN_SELF
}
anchor tagged VPN {
pass log keep state (if-bound)
}
}
# www (and Google Play) to LAN_INET
anchor proto tcp to ! (self:network) port { http https 5228 } {
anchor ! tagged VPN {
pass log tag LAN_INET
}
anchor tagged VPN {
pass log keep state (if-bound) tag LAN_INET
}
}
# relayd HTTP layer7 HTTP proxy (split IPv4/6)
anchor proto tcp from <httpfilter> to port http tagged LAN_INET {
pass log inet \
divert-to $rly_IPv4 port 8080 \
tag LAN_SELF
pass log inet6 \
divert-to $rly_IPv6 port 8080 \
tag LAN6_SELF6
}
# relayd HTTP layer7 TLS inspection (split IPv4/6)
anchor proto tcp from <tlsinspect> to port https tagged LAN_INET {
pass log inet \
divert-to lo0 port 8443 \
tag LAN_SELF
pass log inet6 \
divert-to lo0 port 8443 \
tag LAN6_SELF6
}
# Split IPv4/6 from LAN_INET (!) not for proxy (e.g. divert-to, rdr-to)
anchor inet6 tagged LAN_INET {
match tag LAN6_INET6
}
}
# Outbound
anchor out {
# DHCPv6 Server for DNS requests
# pass log inet6 proto udp \
# from { (lan) (wlan) } to fe80::/10 port dhcpv6-client \
# tag SELF6_LAN6
# Open LAN for trusted peers (keep tag)
anchor tagged LAN {
pass log proto { tcp udp }
anchor on { enc tun } {
pass log proto { tcp udp } keep state (if-bound)
}
}
# Open LAN for self, skip VPN (keep tag)
anchor proto { tcp udp } from (self) {
pass log proto { tcp udp }
anchor on { enc tun } {
pass log proto { tcp udp } keep state (if-bound)
}
anchor proto { tcp udp } from port { l2tp isakmp ipsec-nat-t } {
block log
}
}
}
} # end "internal"
# SDN
#anchor "sdn" on { vether tap }
#load anchor "sdn" from "/etc/pf.conf.anchor.sdn"
# VLAN
anchor "vlan" on vlan proto { tcp udp } from (vlan:network) to (vlan:network)
load anchor "vlan" from "/etc/pf.conf.anchor.vlan"
# VPN (IKEv1 and IKEv2)
anchor "vpn/vpn_if" on { egress lan wlan } proto { esp udp }
anchor "vpn/vpn_enc" on enc proto { ipencap udp }
anchor "vpn/vpn_echo" in on { enc tun } proto tcp to port echo
load anchor "vpn" from "/etc/pf.conf.anchor.vpn"
# ICMP and ICMP6
anchor "icmp/ipv4-icmp" inet proto icmp
anchor "icmp/ipv6-icmp" inet6 proto icmp6
load anchor "icmp" from "/etc/pf.conf.anchor.icmp"