FreeBSD : fichier de règles basiques PF

Boris HUISGEN
|
#
# pf.conf
#
# macros
ext_if = "re0"
int_if = "lo1"
# tables
table persist {}
# options
set block-policy drop
set skip on lo0
set limit { states 20000, frags 5000, src-nodes 2000 }
# normalization
scrub in all fragment reassemble
scrub all reassemble tcp
scrub in all random-id
#
# redirection
#
nat on $ext_if from !($ext_if) to any -> ($ext_if)
# jail dns
rdr pass on $ext_if proto tcp from any to port 53 -> 172.16.0.1 port 53
rdr pass on $ext_if proto udp from any to port 53 -> 172.16.0.1 port 53
# jail www
rdr pass on $ext_if proto tcp from any to port 80 -> 172.16.0.2 port 80
rdr pass on $ext_if proto tcp from any to port 443 -> 172.16.0.2 port 443
rdr pass on $ext_if proto tcp from any to port 2222 -> 172.16.0.2 port 22
#
# rules
#
block in log
block out log
block quick from
antispoof quick for lo0
pass quick on $int_if
pass out proto tcp all keep state
pass out proto udp all keep state
pass in on $ext_if inet proto icmp from any to any keep state
pass out on $ext_if inet proto icmp from any to any keep state
pass in on $ext_if inet6 proto icmp6 from any to any keep state
pass out on $ext_if inet6 proto icmp6 from any to any keep state
pass in on $ext_if proto tcp from any to any port 22 flags S/SA keep state \
(source-track rule, max-src-conn 4, max-src-conn-rate 4/30, \
overload flush global)