FreeBSD : fichier de règles basiques PF

Boris HUISGEN
Boris HUISGEN
|
#
# pf.conf
#

# macros
ext_if = "re0"
int_if = "lo1"

# tables
table  persist {}

# options
set block-policy drop
set skip on lo0
set limit { states 20000, frags 5000, src-nodes 2000 }

# normalization
scrub in all fragment reassemble
scrub all reassemble tcp
scrub in all random-id

#
# redirection
#

nat on $ext_if from !($ext_if) to any -> ($ext_if)

# jail dns
rdr pass on $ext_if proto tcp from any to port 53 -> 172.16.0.1 port 53
rdr pass on $ext_if proto udp from any to port 53 -> 172.16.0.1 port 53
# jail www
rdr pass on $ext_if proto tcp from any to port 80 -> 172.16.0.2 port 80
rdr pass on $ext_if proto tcp from any to port 443 -> 172.16.0.2 port 443
rdr pass on $ext_if proto tcp from any to port 2222 -> 172.16.0.2 port 22

#
# rules
#

block in log
block out log
block quick from
antispoof quick for lo0

pass quick on $int_if

pass out proto tcp all keep state
pass out proto udp all keep state

pass in on $ext_if inet proto icmp from any to any keep state
pass out on $ext_if inet proto icmp from any to any keep state

pass in on $ext_if inet6 proto icmp6 from any to any keep state
pass out on $ext_if inet6 proto icmp6 from any to any keep state

pass in on $ext_if proto tcp from any to any port 22 flags S/SA keep state \
(source-track rule, max-src-conn 4, max-src-conn-rate 4/30, \
overload  flush global)
Boris HUISGEN
Boris HUISGEN
Blog owner
  • #freebsd
  • #pf