path: root/config/obr/pf.conf

# martians
table <nonroutable> const { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
			10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
			0.0.0.0/8, 240.0.0.0/4 }

# protect against brute force attacks
table <bruteforce>

# interfaces
ext_if = vr0
DMZ_if = vr1
int_if = vr2
WLAN_if = athn0

# service machines
europa1 = 192.168.1.2
eeepc = 192.168.1.8
euroserver = 192.168.1.16
eurobuild3 = 192.168.1.12
eurobuild4 = 192.168.1.18
eurobuild5 = 192.168.1.21
eurodata = 192.168.1.9
euroweb = 192.168.1.15
rpmaster = 192.168.1.253

# our own networks
table <intNetworks> const { 192.168.1.0/24 }

# default rule, block all
block all

# no IPv6
block quick inet6

# collect stats on the external interface
set loginterface $ext_if

# disable all filtering on loopback
set skip on lo

# normalize the packets so there are no ambiguities
match in all scrub (no-df)

# NAT for all internal machines
match out on $ext_if from <intNetworks> nat-to ($ext_if)

# randomize ids of packages
match out all scrub (random-id)

# antispoofing on external interface
antispoof quick for { $ext_if }

# allow outgoing traffic
pass out on $ext_if all

# allow all internal traffix
pass on $int_if all

# allow some ICMP
pass in inet proto icmp all icmp-type echoreq

# allow DHCP from IWay
pass in quick on $ext_if proto udp from port 67 to port 68

# allow DNS requests
pass in quick on $ext_if proto tcp from any to port 53
pass in quick on $ext_if proto udp from any to port 53

# sanitize traffic from unknown or illegal sources on the external interface
#block in quick on $ext_if from no-route to any
block in quick on $ext_if from <intNetworks> to any
block in quick on $ext_if from any to <intNetworks>
block in quick on $ext_if from <nonroutable> to any
block in quick on $ext_if from any to <nonroutable>

# allow to jump via the firewall, protect against brute force attacks
block quick from <bruteforce>
pass in on $ext_if proto tcp from any to ($ext_if) port ssh keep state \
	(max-src-conn 5, max-src-conn-rate 10/60, overload <bruteforce> \
	flush global)

# allow everything on the bridge
pass on $DMZ_if all
pass on $WLAN_if all

# relayd and bruteforce attack scrubbing
pass in on $ext_if proto tcp from any to port 80

# reroute public services to their machines in the LAN
pass in on $ext_if proto tcp from any to port 25 rdr-to $euroweb
pass in on $ext_if proto tcp from any to port 443 rdr-to $euroweb
pass in on $ext_if proto tcp from any to port 587 rdr-to $euroweb
pass in on $ext_if proto tcp from any to port 110 rdr-to $euroweb
pass in on $ext_if proto tcp from any to port 143 rdr-to $euroweb
pass in on $ext_if proto tcp from any to port 993 rdr-to $euroweb
pass in on $ext_if proto tcp from any to port 995 rdr-to $euroweb
pass in on $ext_if proto tcp from any to port 9418 rdr-to $euroweb
anchor "ftp-proxy/*"
pass in on $ext_if inet proto tcp to port 21 divert-to 127.0.0.1 port 8021
pass out on $int_if inet proto tcp to $eurodata port 21 user _ftp_proxy
pass in on $ext_if inet proto tcp to port 2121 divert-to 127.0.0.1 port 8022
pass out on $int_if inet proto tcp to $eurobuild3 port 2121 user _ftp_proxy
pass in on $ext_if proto tcp from any to port 2221 rdr-to $euroweb port 22
pass in on $ext_if proto tcp from any to port 2222 rdr-to $eurodata port 22
pass in on $ext_if proto tcp from any to port 2223 rdr-to $eurobuild3 port 22
pass in on $ext_if proto tcp from any to port 2224 rdr-to $eurobuild4 port 22
pass in on $ext_if proto tcp from any to port 2225 rdr-to $eurobuild5 port 22
pass in on $ext_if proto tcp from any to port 5900:5999 rdr-to $eurobuild3
pass in on $ext_if proto tcp from any to port 6881:6889 rdr-to $eurobuild3
pass in on $ext_if proto tcp from any to port 9981:9982 rdr-to $eurobuild3
pass in on $ext_if proto tcp from any to port 6001 rdr-to $europa1 port 6000
pass in on $ext_if proto tcp from any to port 9372 rdr-to $eeepc port 9372