blob: 06403342d06c611f9874630aadf0579631f97aed (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
|
# martians
table <nonroutable> const { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
0.0.0.0/8, 240.0.0.0/4 }
# protect against brute force attacks
table <bruteforce>
# protect against well-known badies
table <badhosts> persist file "/etc/badhosts"
# spamd tables
table <spamd> persist
# interfaces
ext_if = vr0
DMZ_if = vr1
int_if = vr2
WLAN_if = athn0
# service machines
europa1 = 192.168.1.2
eeepc = 192.168.1.8
euroserver = 192.168.1.16
eurobuild3 = 192.168.1.12
eurobuild4 = 192.168.1.18
eurobuild5 = 192.168.1.21
eurobuild6 = 192.168.1.34
euroweb2 = 192.168.1.22
eurodata = 192.168.1.9
euroweb = 192.168.1.15
euromac = 192.168.1.20
# our own networks
table <intNetworks> const { 192.168.1.0/24 }
# default rule, block all
block all
# no IPv6
block quick inet6
# collect stats on the external interface
set loginterface $ext_if
# disable all filtering on loopback
set skip on lo
# normalize the packets so there are no ambiguities
match in all scrub (no-df)
# NAT for all internal machines
match out on $ext_if from <intNetworks> nat-to ($ext_if)
# randomize ids of packages
match out all scrub (random-id)
# antispoofing on external interface
antispoof quick for { $ext_if }
# allow outgoing traffic
pass out on $ext_if all
# allow all internal traffix
pass on $int_if all
# allow some ICMP
pass in inet proto icmp all icmp-type echoreq
# allow DHCP from IWay
pass in quick on $ext_if proto udp from port 67 to port 68
# allow DNS requests
pass in quick on $ext_if proto tcp from any to port 53
pass in quick on $ext_if proto udp from any to port 53
# sanitize traffic from unknown or illegal sources on the external interface
#block in quick on $ext_if from no-route to any
block in quick on $ext_if from <intNetworks> to any
block in quick on $ext_if from any to <intNetworks>
block in quick on $ext_if from <nonroutable> to any
block in quick on $ext_if from any to <nonroutable>
# block badies
block in quick on $ext_if from <badhosts> to any
# allow to jump via the firewall, protect against brute force attacks
block quick from <bruteforce>
pass in on $ext_if proto tcp from any to ($ext_if) port ssh keep state \
(max-src-conn 5, max-src-conn-rate 10/20, overload <bruteforce> \
flush global)
# allow everything on the bridge
pass on $DMZ_if all
pass on $WLAN_if all
# relayd and bruteforce attack scrubbing
pass in on $ext_if proto tcp from any to port 80
# reroute public services to their machines in the LAN
pass in on $ext_if proto tcp from any to port 25 rdr-to $euroweb
#pass in on $ext_if proto tcp from any to port 25 divert-to 127.0.0.1 port spamd
pass in on $ext_if proto tcp from any to port 443 rdr-to $euroweb
pass in on $ext_if proto tcp from any to port 587 rdr-to $euroweb
pass in on $ext_if proto tcp from any to port 110 rdr-to $euroweb
pass in on $ext_if proto tcp from any to port 143 rdr-to $euroweb
pass in on $ext_if proto tcp from any to port 993 rdr-to $euroweb
pass in on $ext_if proto tcp from any to port 995 rdr-to $euroweb
pass in on $ext_if proto tcp from any to port 9418 rdr-to $euroweb
anchor "ftp-proxy/*"
pass in on $ext_if inet proto tcp to port 21 divert-to 127.0.0.1 port 8021
pass out on $int_if inet proto tcp to $eurodata port 21 user _ftp_proxy
pass in on $ext_if inet proto tcp to port 2121 divert-to 127.0.0.1 port 8022
pass out on $int_if inet proto tcp to $eurobuild3 port 2121 user _ftp_proxy
pass in on $ext_if proto tcp from any to port 2221 rdr-to $euroweb port 22
pass in on $ext_if proto tcp from any to port 2222 rdr-to $eurodata port 22
pass in on $ext_if proto tcp from any to port 2223 rdr-to $eurobuild3 port 22
pass in on $ext_if proto tcp from any to port 2224 rdr-to $eurobuild4 port 22
pass in on $ext_if proto tcp from any to port 2225 rdr-to $eurobuild5 port 22
pass in on $ext_if proto tcp from any to port 2226 rdr-to $euromac port 22
pass in on $ext_if proto tcp from any to port 2227 rdr-to $euroweb2 port 22
pass in on $ext_if proto tcp from any to port 2228 rdr-to $eurobuild6 port 22
pass in on $ext_if proto tcp from any to port 5999 rdr-to $euromac port 5900
pass in on $ext_if proto tcp from any to port 5900:5998 rdr-to $eurobuild3
pass in on $ext_if proto tcp from any to port 6881:6889 rdr-to $eurobuild3
pass in on $ext_if proto tcp from any to port 9981:9982 rdr-to $eurobuild3
pass in on $ext_if proto tcp from any to port 8080 rdr-to $eurobuild3
pass in on $ext_if proto tcp from any to port 6001 rdr-to $europa1 port 6000
pass in on $ext_if proto tcp from any to port 9372 rdr-to $eeepc port 9372
pass in on $ext_if proto udp from any to port 5000:5100 rdr-to $eeepc
pass in on $ext_if proto tcp from any to port 1720 rdr-to $eeepc
|
