# martians table const { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \ 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \ 0.0.0.0/8, 240.0.0.0/4 } # protect against brute force attacks table # interfaces ext_if = vr0 DMZ_if = vr1 int_if = vr2 WLAN_if = athn0 # service machines europa1 = 192.168.1.2 eeepc = 192.168.1.8 euroserver = 192.168.1.16 eurobuild3 = 192.168.1.12 eurobuild4 = 192.168.1.18 eurobuild5 = 192.168.1.21 eurodata = 192.168.1.9 euroweb = 192.168.1.15 rpmaster = 192.168.1.253 # our own networks table const { 192.168.1.0/24 } # default rule, block all block all # no IPv6 block quick inet6 # collect stats on the external interface set loginterface $ext_if # disable all filtering on loopback set skip on lo # normalize the packets so there are no ambiguities match in all scrub (no-df) # NAT for all internal machines match out on $ext_if from nat-to ($ext_if) # randomize ids of packages match out all scrub (random-id) # antispoofing on external interface antispoof quick for { $ext_if } # allow outgoing traffic pass out on $ext_if all # allow all internal traffix pass on $int_if all # allow some ICMP pass in inet proto icmp all icmp-type echoreq # allow DHCP from IWay pass in quick on $ext_if proto udp from port 67 to port 68 # allow DNS requests pass in quick on $ext_if proto tcp from any to port 53 pass in quick on $ext_if proto udp from any to port 53 # sanitize traffic from unknown or illegal sources on the external interface #block in quick on $ext_if from no-route to any block in quick on $ext_if from to any block in quick on $ext_if from any to block in quick on $ext_if from to any block in quick on $ext_if from any to # allow to jump via the firewall, protect against brute force attacks block quick from pass in on $ext_if proto tcp from any to ($ext_if) port ssh keep state \ (max-src-conn 5, max-src-conn-rate 10/60, overload \ flush global) # allow everything on the bridge pass on $DMZ_if all pass on $WLAN_if all # relayd and bruteforce attack scrubbing pass in on $ext_if proto tcp from any to port 80 # reroute public services to their machines in the LAN pass in on $ext_if proto tcp from any to port 25 rdr-to $euroweb pass in on $ext_if proto tcp from any to port 443 rdr-to $euroweb pass in on $ext_if proto tcp from any to port 587 rdr-to $euroweb pass in on $ext_if proto tcp from any to port 110 rdr-to $euroweb pass in on $ext_if proto tcp from any to port 143 rdr-to $euroweb pass in on $ext_if proto tcp from any to port 993 rdr-to $euroweb pass in on $ext_if proto tcp from any to port 995 rdr-to $euroweb pass in on $ext_if proto tcp from any to port 9418 rdr-to $euroweb anchor "ftp-proxy/*" pass in on $ext_if inet proto tcp to port 21 divert-to 127.0.0.1 port 8021 pass out on $int_if inet proto tcp to $eurodata port 21 user _ftp_proxy pass in on $ext_if inet proto tcp to port 2121 divert-to 127.0.0.1 port 8022 pass out on $int_if inet proto tcp to $eurobuild3 port 2121 user _ftp_proxy pass in on $ext_if proto tcp from any to port 2221 rdr-to $euroweb port 22 pass in on $ext_if proto tcp from any to port 2222 rdr-to $eurodata port 22 pass in on $ext_if proto tcp from any to port 2223 rdr-to $eurobuild3 port 22 pass in on $ext_if proto tcp from any to port 2224 rdr-to $eurobuild4 port 22 pass in on $ext_if proto tcp from any to port 2225 rdr-to $eurobuild5 port 22 pass in on $ext_if proto tcp from any to port 5900:5999 rdr-to $eurobuild3 pass in on $ext_if proto tcp from any to port 6881:6889 rdr-to $eurobuild3 pass in on $ext_if proto tcp from any to port 9981:9982 rdr-to $eurobuild3 pass in on $ext_if proto tcp from any to port 6001 rdr-to $europa1 port 6000 pass in on $ext_if proto tcp from any to port 9372 rdr-to $eeepc port 9372