# pf.conf from insomnia.benzedrine.ch # # Default gateway doing NAT for my home network, IPv6 tunnel endpoint, using # queues for extended ackpri (so I can work while being /., for instance). # # The external interface is kue0, with a single routable address 62.65.145.30. # The internal interface is gem0, address 10.1.1.1 in network 10.0.0.0/8. # # The IPv6 tunnel is explained in more detail on # http://www.benzedrine.ch/gif.txt # # ACK prioritizing is explained on # http://www.benzedrine.ch/ackpri.html # macros # ext_if = "kue0" unfiltered = "{ lo0, enc0, gem0 }" unroutable = "{ 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, \ 192.168.0.0/16, 255.255.255.255/32 }" services_tcp = "{ ssh, smtp, submission, domain, auth, www, pop3, > 1024 }" ipv6_net = "{ 2001:470:1f00:ffff::475, 2001:470:1f00:670:0:0:0:0/64 }" tunnel_peer = "64.71.128.82" # options # set loginterface $ext_if set limit states 10000 set limit frags 500 # tables # table persist table persist # normalization # scrub in on $ext_if all fragment reassemble scrub out on $ext_if all random-id fragment reassemble # queues # # - ssh has maximum priority, so the host is always managable. # - dns has high priority. # - outgoing tcp connections have priority over incoming ones. # - outgoing http has priority over other outgoing tcp # (the mailing list generates bursts of outgoing smtp) # # effect: even while the web server is under heavy load and the # mailing list is delivering mails, I can still use www/icb/irc. # altq on kue0 priq bandwidth 100Kb queue { q_max, q_hig, q_def, q_low } queue q_max priority 7 queue q_hig priority 5 queue q_def priority 3 queue q_low priority 1 priq(default) # translations # no nat on $unfiltered from any to any no rdr on $unfiltered from any to any # nat private network to single routable address # nat on $ext_if inet from 10.0.0.0/8 to any -> $ext_if # spamd redirection # rdr on $ext_if inet proto tcp from to any port smtp \ -> 127.0.0.1 port 8025 # ============================================================================= # filter rules (default block/pass) # ============================================================================= # pass on unfiltered interfaces # pass quick on $unfiltered # silently drop TCP non-SYN packets, the remaining ruleset only deals with # TCP SYNs, which always create state when passed. the ruleset basically # deals with 'connections', not packets, beyond this point. # block return-rst quick proto tcp all flags /S block return-rst quick proto tcp all flags A/A # block and log everything by default # block log block return-rst log inet proto tcp block return-icmp log inet proto udp # ============================================================================= # external interface (all external IPv4 traffic) # ============================================================================= # silently drop broadcasts (ADSL noise) # block in quick on $ext_if inet from any to { 255.255.255.255, 62.65.145.31 } # block unwanted peers # block in quick on $ext_if inet from to any # block some known-bad ports without logging # block return-rst in quick on $ext_if proto tcp from any to any \ port { 111, 443, 445, 1080, 6000, 6667 } block return-icmp in quick on $ext_if proto udp from any to any \ port { 137, 138, 139, 1434 } # block and log incoming packets from reserved address space and invalid # addresses, they are either spoofed or misconfigured, we can't reply to # them anyway (hence, no return-rst). # block in log quick on $ext_if inet from $unroutable to any # block and log outgoing packets that don't have my address as source, they are # either spoofed or something is misconfigured (NAT disabled, for instance), # we want to be nice and not send out garbage. # block out log quick on $ext_if inet from !$ext_if to any # ICMP # pass out on $ext_if inet proto icmp from $ext_if to any \ icmp-type 8 code 0 keep state queue (q_max) pass in on $ext_if inet proto icmp from any to $ext_if \ icmp-type 8 code 0 keep state (max 32) queue (q_low) # UDP # pass out on $ext_if inet proto udp from any to any \ keep state queue (q_def) pass out on $ext_if inet proto udp from any to any port domain \ keep state queue (q_hig) pass in on $ext_if inet proto udp from any to $ext_if \ port domain keep state (max 512) queue (q_hig) pass in on $ext_if inet proto udp from 62.65.145.29 to $ext_if \ port syslog keep state (max 2) # TCP # pass out on $ext_if inet proto tcp from $ext_if to any \ flags S/SA keep state queue (q_def, q_max) pass out on $ext_if inet proto tcp from $ext_if to any port www \ flags S/SA keep state queue (q_hig, q_max) pass in on $ext_if inet proto tcp from any to $ext_if port $services_tcp \ flags S/SA keep state (max 1024, tcp.first 10, tcp.opening 10) \ queue (q_low, q_max) pass in on $ext_if inet proto tcp from any to 127.0.0.1 port 8025 \ keep state queue (q_low, q_def) # other protocols (IPv6 tunnel) # pass out on $ext_if inet proto ipv6 from $ext_if to $tunnel_peer \ keep state (other.multiple 86400) queue (q_def) pass in on $ext_if inet proto ipv6 from $tunnel_peer to $ext_if \ keep state (other.multiple 86400) queue (q_def) # ============================================================================= # tunnel interface (all external IPv6 traffic) # ============================================================================= # ICMP # pass out on gif0 inet6 proto ipv6-icmp from $ipv6_net to any \ icmp6-type echoreq keep state queue (q_max) allow-opts pass in on gif0 inet6 proto ipv6-icmp from any to $ipv6_net \ icmp6-type echoreq keep state (max 32) queue (q_low) # UDP # pass out on gif0 inet6 proto udp from $ipv6_net to any \ keep state queue (q_def) pass out on gif0 inet6 proto udp from $ipv6_net to any port domain \ keep state queue (q_hig) pass in on gif0 inet6 proto udp from any to $ipv6_net \ port domain keep state (max 512) queue (q_hig) # TCP # pass out on gif0 inet6 proto tcp from $ipv6_net to any flags S/SA \ keep state queue (q_def, q_max) pass in on gif0 inet6 proto tcp from any to $ipv6_net port $services_tcp \ flags S/SA keep state (max 1024, tcp.first 20, tcp.opening 20) \ queue (q_low, q_max)