set limit table-entries 400000 set optimization normal set limit states 705000 set limit src-nodes 705000 #System aliases loopback = "{ lo0 }" WAN = "{ pppoe1 }" LAN = "{ em0 }" CAMERAS = "{ em0.1 }" OpenVPN = "{ openvpn }" #SSH Lockout Table table persist table persist #Snort tables table table table persist file "/etc/bogons" table { 192.168.100.0/24 } table { 192.168.100.0/24 } # User Aliases Computers_Bypas_VPN = "{ 53:65535 }" table { 192.168.0.49 } Games_Consoles = "" table { 192.168.0.53 } Gaming_Computers = "" table { 192.168.0.11 } webservers = "" webserversPorts = "{ 80 443 21 }" # Gateways GWWAN_PPPOE = " route-to ( pppoe1 10.11.13.49 ) " GWNORDVPN_CANADA_VPNV4 = " " GWNORDVPN_USA_VPNV4 = " " set loginterface em0 set skip on pfsync0 scrub on $WAN all fragment reassemble scrub on $LAN all fragment reassemble scrub on $CAMERAS all fragment reassemble no nat proto carp no rdr proto carp nat-anchor "natearly/*" nat-anchor "natrules/*" # Outbound NAT rules (manual) no nat on $OpenVPN from $Games_Consoles to any # Xbox One Nat Setting block no nat on $CAMERAS from $Games_Consoles to any # Xbox One Nat Setting block nat on $WAN inet from $Games_Consoles to any -> 174.94.30.39/32 static-port # block downloader using isp nat on $WAN inet6 from $Games_Consoles to any -> (pppoe1) static-port # block downloader using isp nat on $WAN inet from any to $Games_Consoles -> 174.94.30.39/32 static-port # block downloader using isp nat on $WAN inet6 from any to $Games_Consoles -> (pppoe1) static-port # block downloader using isp nat on $WAN inet from 127.0.0.0/8 to any -> 174.94.30.39/32 port 1024:65535 # Auto created rule - localhost to WAN nat on $WAN inet from 127.0.0.0/8 to any port 500 -> 174.94.30.39/32 static-port # Auto created rule for ISAKMP - localhost to WAN nat on $WAN inet from 192.168.0.0/24 to any port 500 -> 174.94.30.39/32 static-port # Auto created rule for ISAKMP - LAN to WAN nat on $WAN inet from 192.168.0.0/24 to any -> 174.94.30.39/32 port 1024:65535 # Auto created rule - LAN to WAN nat on $WAN inet6 from ::1/128 to any port 500 -> (pppoe1) static-port # Auto created rule for ISAKMP - localhost to WAN nat on $WAN inet6 from ::1/128 to any -> (pppoe1) port 1024:65535 # Auto created rule - localhost to WAN nat on $WAN inet from 192.168.20.0/24 to any port 500 -> 174.94.30.39/32 static-port # Auto created rule for ISAKMP - CAMERAS to WAN nat on $WAN inet from 192.168.20.0/24 to any -> 174.94.30.39/32 port 1024:65535 # Auto created rule - CAMERAS to WAN nat on $WAN inet from 192.168.100.0/24 to any port 500 -> 174.94.30.39/32 static-port # Auto created rule for ISAKMP - OpenVPN server to WAN nat on $WAN inet from 192.168.100.0/24 to any -> 174.94.30.39/32 port 1024:65535 # Auto created rule - OpenVPN server to WAN # Load balancing anchor rdr-anchor "relayd/*" # TFTP proxy rdr-anchor "tftp-proxy/*" # NAT Inbound Redirects rdr on pppoe1 proto { tcp udp } from any to $Games_Consoles port 3544 -> $Games_Consoles # Reflection redirects rdr on { em0 em0.1 openvpn } proto { tcp udp } from any to $Games_Consoles port 3544 tag PFREFLECT -> 127.0.0.1 port 19000 rdr on pppoe1 proto { tcp udp } from any to $Games_Consoles port 3074 -> $Games_Consoles # Reflection redirects rdr on { em0 em0.1 openvpn } proto { tcp udp } from any to $Games_Consoles port 3074 tag PFREFLECT -> 127.0.0.1 port 19001 rdr on pppoe1 proto tcp from any to 174.94.30.39 port 80 -> 192.168.0.11 # Reflection redirects rdr on { em0 em0.1 openvpn } proto tcp from any to 174.94.30.39 port 80 tag PFREFLECT -> 127.0.0.1 port 19002 rdr on pppoe1 proto tcp from any to 192.168.0.11 port 80 -> 192.168.0.11 # Reflection redirects rdr on { em0 em0.1 openvpn } proto tcp from any to 192.168.0.11 port 80 tag PFREFLECT -> 127.0.0.1 port 19003 # UPnPd rdr anchor rdr-anchor "miniupnpd" anchor "relayd/*" anchor "openvpn/*" anchor "ipsec/*" # block IPv4 link-local. Per RFC 3927, link local "MUST NOT" be forwarded by a routing device, # and clients "MUST NOT" send such packets to a router. FreeBSD won't route 169.254./16, but # route-to can override that, causing problems such as in redmine #2073 block in log quick from 169.254.0.0/16 to any tracker 1000000101 label "Block IPv4 link-local" block in log quick from any to 169.254.0.0/16 tracker 1000000102 label "Block IPv4 link-local" #--------------------------------------------------------------------------- # default deny rules #--------------------------------------------------------------------------- block in log inet all tracker 1000000103 label "Default deny rule IPv4" block out log inet all tracker 1000000104 label "Default deny rule IPv4" block in log inet6 all tracker 1000000105 label "Default deny rule IPv6" block out log inet6 all tracker 1000000106 label "Default deny rule IPv6" # IPv6 ICMP is not auxilary, it is required for operation # See man icmp6(4) # 1 unreach Destination unreachable # 2 toobig Packet too big # 128 echoreq Echo service request # 129 echorep Echo service reply # 133 routersol Router solicitation # 134 routeradv Router advertisement # 135 neighbrsol Neighbor solicitation # 136 neighbradv Neighbor advertisement pass quick inet6 proto ipv6-icmp from any to any icmp6-type {1,2,135,136} tracker 1000000107 keep state # Allow only bare essential icmpv6 packets (NS, NA, and RA, echoreq, echorep) pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {129,133,134,135,136} tracker 1000000108 keep state pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {129,133,134,135,136} tracker 1000000109 keep state pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {128,133,134,135,136} tracker 1000000110 keep state pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type {128,133,134,135,136} tracker 1000000111 keep state pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {128,133,134,135,136} tracker 1000000112 keep state pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type {128,133,134,135,136} tracker 1000000113 keep state # We use the mighty pf, we cannot be fooled. block log quick inet proto { tcp, udp } from any port = 0 to any tracker 1000000114 label "Block traffic from port 0" block log quick inet proto { tcp, udp } from any to any port = 0 tracker 1000000115 label "Block traffic to port 0" block log quick inet6 proto { tcp, udp } from any port = 0 to any tracker 1000000116 label "Block traffic from port 0" block log quick inet6 proto { tcp, udp } from any to any port = 0 tracker 1000000117 label "Block traffic to port 0" # Snort package block log quick from to any tracker 1000000118 label "Block snort2c hosts" block log quick from any to tracker 1000000119 label "Block snort2c hosts" # SSH lockout block in log quick proto tcp from to (self) port 22 tracker 1000000301 label "sshguard" # webConfigurator lockout block in log quick proto tcp from to (self) port 8080 tracker 1000000351 label "webConfiguratorlockout" block in log quick from to any tracker 1000000400 label "virusprot overload table" antispoof log for $WAN tracker 1000001570 antispoof log for $LAN tracker 1000002620 # allow access to DHCP server on LAN pass in quick on $LAN proto udp from any port = 68 to 255.255.255.255 port = 67 tracker 1000002641 label "allow access to DHCP server" pass in quick on $LAN proto udp from any port = 68 to 192.168.0.1 port = 67 tracker 1000002642 label "allow access to DHCP server" pass out quick on $LAN proto udp from 192.168.0.1 port = 67 to any port = 68 tracker 1000002643 label "allow access to DHCP server" # allow access to DHCPv6 server on LAN # We need inet6 icmp for stateless autoconfig and dhcpv6 pass quick on $LAN inet6 proto udp from fe80::/10 to fe80::/10 port = 546 tracker 1000002651 label "allow access to DHCPv6 server" pass quick on $LAN inet6 proto udp from fe80::/10 to ff02::/16 port = 546 tracker 1000002652 label "allow access to DHCPv6 server" pass quick on $LAN inet6 proto udp from fe80::/10 to ff02::/16 port = 547 tracker 1000002653 label "allow access to DHCPv6 server" pass quick on $LAN inet6 proto udp from ff02::/16 to fe80::/10 port = 547 tracker 1000002654 label "allow access to DHCPv6 server" antispoof log for $CAMERAS tracker 1000003670 # loopback pass in on $loopback inet all tracker 1000004761 label "pass IPv4 loopback" pass out on $loopback inet all tracker 1000004762 label "pass IPv4 loopback" pass in on $loopback inet6 all tracker 1000004763 label "pass IPv6 loopback" pass out on $loopback inet6 all tracker 1000004764 label "pass IPv6 loopback" # let out anything from the firewall host itself and decrypted IPsec traffic pass out inet all keep state allow-opts tracker 1000004765 label "let out anything IPv4 from firewall host itself" pass out inet6 all keep state allow-opts tracker 1000004766 label "let out anything IPv6 from firewall host itself" pass out route-to ( pppoe1 10.11.13.49 ) from 174.94.30.39 to !174.94.30.39/32 tracker 1000004861 keep state allow-opts label "let out anything from firewall host itself" # make sure the user cannot lock himself out of the webConfigurator or SSH pass in quick on em0 proto tcp from any to (em0) port { 8080 80 22 } tracker 10000 keep state label "anti-lockout rule" # NAT Reflection rules pass in inet tagged PFREFLECT tracker 1000005181 keep state label "NAT REFLECT: Allow traffic to localhost" # User-defined rules follow anchor "userrules/*" pass in quick on $OpenVPN inet from any to any tracker 1536424561 keep state label "USER_RULE: OpenVPN openvpn remote access wizard" pass in quick on $WAN reply-to ( pppoe1 10.11.13.49 ) inet proto udp from any to 174.94.30.39 port 1196 tracker 1536806415 keep state label "USER_RULE: OpenVPN openvpn remote access wizard" pass in quick on $WAN $GWWAN_PPPOE inet proto tcp from $webservers to 174.94.30.39 port $webserversPorts tracker 1545745202 flags S/SA keep state label "USER_RULE" # returning at dst == "/" label "USER_RULE" pass in quick on $LAN inet from $Games_Consoles to tracker 10000001 keep state label "NEGATE_ROUTE: Negate policy routing for destination" pass in quick on $LAN $GWWAN_PPPOE inet from $Games_Consoles to any tracker 1552965170 keep state label "USER_RULE: xbox bypass vpn" pass in quick on $LAN inet from 192.168.0.11 to tag "NO_WAN_EGRESS" tracker 10000002 keep state label "NEGATE_ROUTE: Negate policy routing for destination" pass in quick on $LAN $GWNORDVPN_CANADA_VPNV4 inet from 192.168.0.11 to any tag "NO_WAN_EGRESS" tracker 1553044927 keep state label "USER_RULE: NordVPN Canada LAN" pass in quick on $LAN inet from 192.168.0.11 to tag "NO_WAN_EGRESS" tracker 10000003 keep state label "NEGATE_ROUTE: Negate policy routing for destination" pass in quick on $LAN $GWNORDVPN_USA_VPNV4 inet from 192.168.0.11 to any tag "NO_WAN_EGRESS" tracker 1553048589 keep state label "USER_RULE: NordVPN USA LAN" pass in quick on $LAN inet from 192.168.0.0/24 to tracker 10000004 keep state label "NEGATE_ROUTE: Negate policy routing for destination" pass in quick on $LAN $GWNORDVPN_USA_VPNV4 inet from 192.168.0.0/24 to any tracker 1553045369 keep state label "USER_RULE: NordVPN USA LAN" pass in quick on $LAN inet from 192.168.0.0/24 to tracker 10000005 keep state label "NEGATE_ROUTE: Negate policy routing for destination" pass in quick on $LAN $GWNORDVPN_CANADA_VPNV4 inet from 192.168.0.0/24 to any tracker 1534464876 keep state label "USER_RULE: NordVPN Canada LAN" pass in quick on $LAN inet from 192.168.0.0/24 to any tracker 0100000101 keep state label "USER_RULE: Default allow LAN to any rule" # VPN Rules anchor "tftp-proxy/*" anchor "miniupnpd"