set limit table-entries 400000 set optimization normal set limit states 96000 set limit src-nodes 96000 #System aliases loopback = "{ lo0 }" WAN = "{ vtnet0 }" LAN = "{ vtnet1 }" #SSH Lockout Table table persist #Snort tables table table table persist file "/etc/bogons" table persist file "/etc/bogonsv6" table # User Aliases # Gateways GWWAN_DHCP = " route-to ( vtnet0 10.2.0.1 ) " GWWAN_DHCP6 = " route-to ( vtnet0 10.2.0.1 ) " set loginterface vtnet1 set skip on pfsync0 scrub on $WAN inet all fragment reassemble scrub on $WAN inet6 all fragment reassemble scrub on $LAN inet all fragment reassemble scrub on $LAN inet6 all fragment reassemble no nat proto carp no rdr proto carp nat-anchor "natearly/*" nat-anchor "natrules/*" # Outbound NAT rules (automatic) # Subnets to NAT tonatsubnets = "{ 127.0.0.0/8 ::1/128 10.3.0.0/24 }" nat on $WAN inet from $tonatsubnets to any port 500 -> 10.2.0.101/32 static-port nat on $WAN inet6 from $tonatsubnets to any port 500 -> (vtnet0) static-port nat on $WAN inet from $tonatsubnets to any -> 10.2.0.101/32 port 1024:65535 nat on $WAN inet6 from $tonatsubnets to any -> (vtnet0) port 1024:65535 # TFTP proxy rdr-anchor "tftp-proxy/*" # UPnPd rdr anchor rdr-anchor "miniupnpd" anchor "openvpn/*" anchor "ipsec/*" # block IPv4 link-local. Per RFC 3927, link local "MUST NOT" be forwarded by a routing device, # and clients "MUST NOT" send such packets to a router. FreeBSD won't route 169.254./16, but # route-to can override that, causing problems such as in redmine #2073 block in log quick from 169.254.0.0/16 to any tracker 1000103481 label "Block IPv4 link-local" block in log quick from any to 169.254.0.0/16 tracker 1000103482 label "Block IPv4 link-local" #--------------------------------------------------------------------------- # default deny rules #--------------------------------------------------------------------------- block in log inet all tracker 1000103483 label "Default deny rule IPv4" block out log inet all tracker 1000103484 label "Default deny rule IPv4" block in log inet6 all tracker 1000103485 label "Default deny rule IPv6" block out log inet6 all tracker 1000103486 label "Default deny rule IPv6" # IPv6 ICMP is not auxiliary, it is required for operation # See man icmp6(4) # 1 unreach Destination unreachable # 2 toobig Packet too big # 128 echoreq Echo service request # 129 echorep Echo service reply # 133 routersol Router solicitation # 134 routeradv Router advertisement # 135 neighbrsol Neighbor solicitation # 136 neighbradv Neighbor advertisement pass quick inet6 proto ipv6-icmp from any to any icmp6-type {1,2,135,136} tracker 1000103487 keep state # Allow only bare essential icmpv6 packets (NS, NA, and RA, echoreq, echorep) pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {129,133,134,135,136} tracker 1000103488 keep state pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {129,133,134,135,136} tracker 1000103489 keep state pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {128,133,134,135,136} tracker 1000103490 keep state pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type {128,133,134,135,136} tracker 1000103491 keep state pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {128,133,134,135,136} tracker 1000103492 keep state pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type {128,133,134,135,136} tracker 1000103493 keep state # We use the mighty pf, we cannot be fooled. block log quick inet proto { tcp, udp } from any port = 0 to any tracker 1000103494 label "Block traffic from port 0" block log quick inet proto { tcp, udp } from any to any port = 0 tracker 1000103495 label "Block traffic to port 0" block log quick inet6 proto { tcp, udp } from any port = 0 to any tracker 1000103496 label "Block traffic from port 0" block log quick inet6 proto { tcp, udp } from any to any port = 0 tracker 1000103497 label "Block traffic to port 0" # Snort package block log quick from to any tracker 1000103498 label "Block snort2c hosts" block log quick from any to tracker 1000103499 label "Block snort2c hosts" # SSH lockout block in log quick proto tcp from to (self) port 22 tracker 1000103681 label "sshguard" # webConfigurator lockout block in log quick proto tcp from to (self) port 80 tracker 1000103731 label "GUI Lockout" block in log quick from to any tracker 1000000400 label "virusprot overload table" # allow our DHCP client out to the WAN pass in quick on $WAN proto udp from any port = 67 to any port = 68 tracker 1000103941 label "allow dhcp client out WAN" pass out quick on $WAN proto udp from any port = 68 to any port = 67 tracker 1000103942 label "allow dhcp client out WAN" # Not installing DHCP server firewall rules for WAN which is configured for DHCP. # allow our DHCPv6 client out to the WAN pass in quick on $WAN proto udp from fe80::/10 port = 546 to fe80::/10 port = 546 tracker 1000103943 label "allow dhcpv6 client in WAN" pass in quick on $WAN proto udp from any port = 547 to any port = 546 tracker 1000103944 label "allow dhcpv6 client in WAN" # Add Priority to dhcp6c packets if enabled pass out quick on $WAN proto udp from any port = 546 to any port = 547 tracker 1000103945 label "allow dhcpv6 client out WAN" # block bogon networks (IPv4) # http://www.cymru.com/Documents/bogon-bn-nonagg.txt block in log quick on $WAN from to any tracker 11003 label "block bogon IPv4 networks from WAN" # block bogon networks (IPv6) # http://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt block in log quick on $WAN from to any tracker 11004 label "block bogon IPv6 networks from WAN" antispoof log for $WAN tracker 1000104950 # block anything from private networks on interfaces with the option set block in log quick on $WAN from 10.0.0.0/8 to any tracker 12006 label "Block private networks from WAN block 10/8" block in log quick on $WAN from 127.0.0.0/8 to any tracker 12007 label "Block private networks from WAN block 127/8" block in log quick on $WAN from 172.16.0.0/12 to any tracker 12008 label "Block private networks from WAN block 172.16/12" block in log quick on $WAN from 192.168.0.0/16 to any tracker 12009 label "Block private networks from WAN block 192.168/16" block in log quick on $WAN from fc00::/7 to any tracker 12010 label "Block ULA networks from WAN block fc00::/7" antispoof log for $LAN tracker 1000106000 # allow access to DHCP server on LAN pass in quick on $LAN proto udp from any port = 68 to 255.255.255.255 port = 67 tracker 1000106021 label "allow access to DHCP server" pass in quick on $LAN proto udp from any port = 68 to 10.3.0.2 port = 67 tracker 1000106022 label "allow access to DHCP server" pass out quick on $LAN proto udp from 10.3.0.2 port = 67 to any port = 68 tracker 1000106023 label "allow access to DHCP server" # allow access to DHCPv6 server on LAN # We need inet6 icmp for stateless autoconfig and dhcpv6 pass quick on $LAN inet6 proto udp from fe80::/10 to fe80::/10 port = 546 tracker 1000106031 label "allow access to DHCPv6 server" pass quick on $LAN inet6 proto udp from fe80::/10 to ff02::/16 port = 546 tracker 1000106032 label "allow access to DHCPv6 server" pass quick on $LAN inet6 proto udp from fe80::/10 to ff02::/16 port = 547 tracker 1000106033 label "allow access to DHCPv6 server" pass quick on $LAN inet6 proto udp from ff02::/16 to fe80::/10 port = 547 tracker 1000106034 label "allow access to DHCPv6 server" # loopback pass in on $loopback inet all tracker 1000106041 label "pass IPv4 loopback" pass out on $loopback inet all tracker 1000106042 label "pass IPv4 loopback" pass in on $loopback inet6 all tracker 1000106043 label "pass IPv6 loopback" pass out on $loopback inet6 all tracker 1000106044 label "pass IPv6 loopback" # let out anything from the firewall host itself and decrypted IPsec traffic pass out inet all keep state allow-opts tracker 1000106045 label "let out anything IPv4 from firewall host itself" pass out inet6 all keep state allow-opts tracker 1000106046 label "let out anything IPv6 from firewall host itself" pass out route-to ( vtnet0 10.2.0.1 ) from 10.2.0.101 to !10.2.0.0/24 tracker 1000106141 keep state allow-opts label "let out anything from firewall host itself" # make sure the user cannot lock himself out of the webConfigurator or SSH pass in quick on vtnet1 proto tcp from any to (vtnet1) port { 80 22 } tracker 10002 keep state label "anti-lockout rule" # User-defined rules follow anchor "userrules/*" pass in quick on $WAN reply-to ( vtnet0 10.2.0.1 ) inet proto tcp from any to any port 22 tracker 1623359549 flags S/SA keep state label "USER_RULE: Easy Rule: Passed from Firewall Log View" pass in quick on $WAN reply-to ( vtnet0 10.2.0.1 ) inet proto tcp from any to any port 22 tracker 1623359666 flags S/SA keep state label "USER_RULE: Easy Rule: Passed from Firewall Log View" pass in quick on $WAN reply-to ( vtnet0 10.2.0.1 ) inet proto tcp from any to any port 22 tracker 1623359880 flags S/SA keep state label "USER_RULE: Easy Rule: Passed from Firewall Log View" pass in quick on $LAN inet from 10.3.0.0/24 to any tracker 0100000101 keep state label "USER_RULE: Default allow LAN to any rule" # at the break! label "USER_RULE: Default allow LAN IPv6 to any rule" pass in quick on $LAN inet proto tcp from any to any port 22 tracker 1623359684 flags S/SA keep state label "USER_RULE: Easy Rule: Passed from Firewall Log View" pass in quick on $LAN inet proto tcp from any to any port 22 tracker 1623359871 flags S/SA keep state label "USER_RULE: Easy Rule: Passed from Firewall Log View" pass in quick on $WAN reply-to ( vtnet0 10.2.0.1 ) inet proto tcp from 10.2.0.3 to 10.2.0.101 port 22 tracker 1623360909 flags S/SA keep state label "USER_RULE: Easy Rule: Passed from Firewall Log View" # VPN Rules anchor "tftp-proxy/*"