# martians table const { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \ 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \ 0.0.0.0/8, 240.0.0.0/4 } # protect against brute force attacks table # protect against well-known badies table persist file "/etc/badhosts" # spamd tables table persist # interfaces ext_if = vr0 DMZ_if = vr1 int_if = vr2 WLAN_if = athn0 # service machines europa1 = 192.168.1.2 eeepc = 192.168.1.8 euroserver = 192.168.1.16 eurobuild3 = 192.168.1.12 eurobuild4 = 192.168.1.18 eurobuild5 = 192.168.1.21 eurobuild6 = 192.168.1.34 eurobuild3pfreymewa = 192.168.1.41 eurodata = 192.168.1.9 euroweb = 192.168.1.15 euromac = 192.168.1.20 # our own networks table const { 192.168.1.0/24 } # default rule, block all block all # no IPv6 block quick inet6 # collect stats on the external interface set loginterface $ext_if # disable all filtering on loopback set skip on lo # normalize the packets so there are no ambiguities match in all scrub (no-df) # NAT for all internal machines match out on $ext_if from nat-to ($ext_if) # randomize ids of packages match out all scrub (random-id) # antispoofing on external interface antispoof quick for { $ext_if } # allow outgoing traffic pass out on $ext_if all # allow all internal traffix pass on $int_if all # allow some ICMP pass in inet proto icmp all icmp-type echoreq # allow DHCP from IWay pass in quick on $ext_if proto udp from port 67 to port 68 # allow DNS requests pass in quick on $ext_if proto tcp from any to port 53 pass in quick on $ext_if proto udp from any to port 53 # sanitize traffic from unknown or illegal sources on the external interface #block in quick on $ext_if from no-route to any block in quick on $ext_if from to any block in quick on $ext_if from any to block in quick on $ext_if from to any block in quick on $ext_if from any to # block badies block in quick on $ext_if from to any # allow to jump via the firewall, protect against brute force attacks block quick from pass in on $ext_if proto tcp from any to ($ext_if) port ssh keep state \ (max-src-conn 5, max-src-conn-rate 10/20, overload \ flush global) pass in on $ext_if proto tcp from any to ($ext_if) port 2221 keep state \ (max-src-conn 5, max-src-conn-rate 10/20, overload \ flush global) pass in on $ext_if proto tcp from any to ($ext_if) port 2222 keep state \ (max-src-conn 5, max-src-conn-rate 10/20, overload \ flush global) pass in on $ext_if proto tcp from any to ($ext_if) port 2223 keep state \ (max-src-conn 5, max-src-conn-rate 10/20, overload \ flush global) pass in on $ext_if proto tcp from any to ($ext_if) port 2224 keep state \ (max-src-conn 5, max-src-conn-rate 10/20, overload \ flush global) pass in on $ext_if proto tcp from any to ($ext_if) port 2225 keep state \ (max-src-conn 5, max-src-conn-rate 10/20, overload \ flush global) pass in on $ext_if proto tcp from any to ($ext_if) port 2226 keep state \ (max-src-conn 5, max-src-conn-rate 10/20, overload \ flush global) pass in on $ext_if proto tcp from any to ($ext_if) port 2227 keep state \ (max-src-conn 5, max-src-conn-rate 10/20, overload \ flush global) pass in on $ext_if proto tcp from any to ($ext_if) port 2228 keep state \ (max-src-conn 5, max-src-conn-rate 10/20, overload \ flush global) pass in on $ext_if proto tcp from any to ($ext_if) port 2229 keep state \ (max-src-conn 5, max-src-conn-rate 10/20, overload \ flush global) # allow everything on the bridge pass on $DMZ_if all pass on $WLAN_if all # relayd and bruteforce attack scrubbing pass in on $ext_if proto tcp from any to port 80 # reroute public services to their machines in the LAN pass in on $ext_if proto tcp from any to port 25 rdr-to $euroweb #pass in on $ext_if proto tcp from any to port 25 divert-to 127.0.0.1 port spamd pass in on $ext_if proto tcp from any to port 443 rdr-to $euroweb pass in on $ext_if proto tcp from any to port 587 rdr-to $euroweb pass in on $ext_if proto tcp from any to port 110 rdr-to $euroweb pass in on $ext_if proto tcp from any to port 143 rdr-to $euroweb pass in on $ext_if proto tcp from any to port 993 rdr-to $euroweb pass in on $ext_if proto tcp from any to port 995 rdr-to $euroweb pass in on $ext_if proto tcp from any to port 9418 rdr-to $euroweb anchor "ftp-proxy/*" pass in on $ext_if inet proto tcp to port 21 divert-to 127.0.0.1 port 8021 pass out on $int_if inet proto tcp to $eurodata port 21 user _ftp_proxy pass in on $ext_if inet proto tcp to port 2121 divert-to 127.0.0.1 port 8022 pass out on $int_if inet proto tcp to $eurobuild3 port 2121 user _ftp_proxy pass in on $ext_if proto tcp from any to port 2221 rdr-to $euroweb port 22 #pass in on $ext_if proto tcp from any to port 2222 rdr-to $eurodata port 22 pass in on $ext_if proto tcp from any to port 2223 rdr-to $eurobuild3 port 22 #pass in on $ext_if proto tcp from any to port 2224 rdr-to $eurobuild4 port 22 #pass in on $ext_if proto tcp from any to port 2225 rdr-to $eurobuild5 port 22 #pass in on $ext_if proto tcp from any to port 2226 rdr-to $euromac port 22 #pass in on $ext_if proto tcp from any to port 2227 rdr-to $eurobuild3pfreymewa port 22 pass in on $ext_if proto tcp from any to port 2228 rdr-to $eurobuild6 port 22 pass in on $ext_if proto tcp from any to port 5999 rdr-to $euromac port 5900 pass in on $ext_if proto tcp from any to port 5900:5998 rdr-to $eurobuild3 pass in on $ext_if proto tcp from any to port 5912 rdr-to $eurobuild6 port 5902 pass in on $ext_if proto tcp from any to port 5914 rdr-to $eurobuild6 port 5904 pass in on $ext_if proto tcp from any to port 6881:6889 rdr-to $eurobuild3 pass in on $ext_if proto tcp from any to port 9981:9982 rdr-to $eurobuild3 pass in on $ext_if proto tcp from any to port 8080 rdr-to $eurobuild3 pass in on $ext_if proto tcp from any to port 6001 rdr-to $europa1 port 6000 pass in on $ext_if proto tcp from any to port 9372 rdr-to $eeepc port 9372 pass in on $ext_if proto udp from any to port 5000:5100 rdr-to $eeepc pass in on $ext_if proto tcp from any to port 1720 rdr-to $eeepc