set hostid 0xbab4da81 set limit table-entries 400000 set optimization normal set limit states 1621000 set limit src-nodes 1621000 loopback = "{ lo0 }" WAN = "{ pppoe0 }" LAGGLAN = "{ lagg0 }" OPT1 = "{ igb1 }" MNGMTLAN = "{ lagg0.11 }" FASTLAN = "{ lagg0.15 }" MAINLAN = "{ lagg0.20 }" LMTDLAN = "{ lagg0.30 }" GUESTLAN = "{ lagg0.40 }" OPENVPN1 = "{ ovpns1 }" OpenVPN = "{ openvpn }" table persist table table table persist file "/etc/bogons" table persist file "/etc/bogonsv6" table { x.x.x.x/24 } table { x.x.x.x/24 } table { x.x.x.x/24 } FirewallAdminPorts = "{ 443 80 22 }" GWWAN_PPPOE = " route-to ( pppoe0 x.x.x.x ) " GWOPENVPN1_VPNV4 = " route-to ( ovpns1 x.x.x.x ) " set loginterface lagg0 set skip on { pfsync0 } table { 127.0.0.0/8 ::1 x.x.x.x/24 x.x.x.x/24 x.x.x.x/24 x.x.x.x/24 x.x.x.x/24 x.x.x.x/24 x.x.x.x/24 x.x.x.x/24 } scrub on pppoe0 inet all fragment reassemble scrub on pppoe0 inet6 all fragment reassemble scrub on lagg0 inet all fragment reassemble scrub on lagg0 inet6 all fragment reassemble scrub on igb1 inet all fragment reassemble scrub on igb1 inet6 all fragment reassemble scrub on lagg0.11 inet all fragment reassemble scrub on lagg0.11 inet6 all fragment reassemble scrub on lagg0.15 inet all fragment reassemble scrub on lagg0.15 inet6 all fragment reassemble scrub on lagg0.20 inet all fragment reassemble scrub on lagg0.20 inet6 all fragment reassemble scrub on lagg0.30 inet all fragment reassemble scrub on lagg0.30 inet6 all fragment reassemble scrub on lagg0.40 inet all fragment reassemble scrub on lagg0.40 inet6 all fragment reassemble scrub on ovpns1 inet all fragment reassemble scrub on ovpns1 inet6 all fragment reassemble no nat proto carp all nat-anchor "miniupnpd" all nat-anchor "/*" all nat-anchor "/*" all nat on pppoe0 inet from to any port = isakmp -> x.x.x.x static-port nat on pppoe0 inet6 from to any port = isakmp -> (pppoe0) round-robin static-port nat on pppoe0 inet from to any -> x.x.x.x port 1024:65535 nat on pppoe0 inet6 from to any -> (pppoe0) port 1024:65535 round-robin no rdr proto carp all rdr-anchor "/*" all rdr-anchor "miniupnpd" all binat-anchor "miniupnpd" all anchor "/*" all anchor "/*" all block drop in log quick inet from 169.254.0.0/16 to any label "Block IPv4 link-local" ridentifier 1000000101 block drop in log quick inet from any to 169.254.0.0/16 label "Block IPv4 link-local" ridentifier 1000000102 block drop in log inet all label "Default deny rule IPv4" ridentifier 1000000103 block drop out log inet all label "Default deny rule IPv4" ridentifier 1000000104 block drop in log inet6 all label "Default deny rule IPv6" ridentifier 1000000105 block drop out log inet6 all label "Default deny rule IPv6" ridentifier 1000000106 pass quick inet6 proto ipv6-icmp all icmp6-type unreach keep state ridentifier 1000000107 pass quick inet6 proto ipv6-icmp all icmp6-type toobig keep state ridentifier 1000000107 pass quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state ridentifier 1000000107 pass quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep state ridentifier 1000000107 pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echorep keep state ridentifier 1000000108 pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state ridentifier 1000000108 pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state ridentifier 1000000108 pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state ridentifier 1000000108 pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state ridentifier 1000000108 pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echorep keep state ridentifier 1000000109 pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state ridentifier 1000000109 pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state ridentifier 1000000109 pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state ridentifier 1000000109 pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state ridentifier 1000000109 pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state ridentifier 1000000110 pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state ridentifier 1000000110 pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state ridentifier 1000000110 pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state ridentifier 1000000110 pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state ridentifier 1000000110 pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type echoreq keep state ridentifier 1000000111 pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routersol keep state ridentifier 1000000111 pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routeradv keep state ridentifier 1000000111 pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbrsol keep state ridentifier 1000000111 pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbradv keep state ridentifier 1000000111 pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echoreq keep state ridentifier 1000000112 pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state ridentifier 1000000112 pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state ridentifier 1000000112 pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state ridentifier 1000000112 pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state ridentifier 1000000112 pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type echoreq keep state ridentifier 1000000113 pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type routersol keep state ridentifier 1000000113 pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type routeradv keep state ridentifier 1000000113 pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type neighbrsol keep state ridentifier 1000000113 pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type neighbradv keep state ridentifier 1000000113 block drop log quick inet proto tcp from any port = 0 to any label "Block traffic from port 0" ridentifier 1000000114 block drop log quick inet proto udp from any port = 0 to any label "Block traffic from port 0" ridentifier 1000000114 block drop log quick inet proto tcp from any to any port = 0 label "Block traffic to port 0" ridentifier 1000000115 block drop log quick inet proto udp from any to any port = 0 label "Block traffic to port 0" ridentifier 1000000115 block drop log quick inet6 proto tcp from any port = 0 to any label "Block traffic from port 0" ridentifier 1000000116 block drop log quick inet6 proto udp from any port = 0 to any label "Block traffic from port 0" ridentifier 1000000116 block drop log quick inet6 proto tcp from any to any port = 0 label "Block traffic to port 0" ridentifier 1000000117 block drop log quick inet6 proto udp from any to any port = 0 label "Block traffic to port 0" ridentifier 1000000117 block drop log quick from to any label "Block snort2c hosts" ridentifier 1000000118 block drop log quick from any to label "Block snort2c hosts" ridentifier 1000000119 block drop in log quick proto tcp from to (self) port = ssh label "sshguard" ridentifier 1000000301 block drop in log quick proto tcp from to (self) port = https label "GUI Lockout" ridentifier 1000000351 block drop in log quick from to any label "virusprot overload table" ridentifier 1000000400 block drop in log quick on pppoe0 from to any label "block bogon IPv4 networks from WAN" ridentifier 11001 block drop in log quick on pppoe0 from to any label "block bogon IPv6 networks from WAN" ridentifier 11002 block drop in log on ! pppoe0 inet from x.x.x.x to any ridentifier 1000001470 block drop in log inet from x.x.x.x to any ridentifier 1000001470 block drop in log on pppoe0 inet6 from fe80::b696:91ff:feb2:f3f0 to any ridentifier 1000001470 block drop in log quick on pppoe0 inet from 10.0.0.0/8 to any label "Block private networks from WAN block 10/8" ridentifier 12001 block drop in log quick on pppoe0 inet from 127.0.0.0/8 to any label "Block private networks from WAN block 127/8" ridentifier 12002 block drop in log quick on pppoe0 inet from 172.16.0.0/12 to any label "Block private networks from WAN block 172.16/12" ridentifier 12003 block drop in log quick on pppoe0 inet from 192.168.0.0/16 to any label "Block private networks from WAN block 192.168/16" ridentifier 12004 block drop in log quick on pppoe0 inet6 from fc00::/7 to any label "Block ULA networks from WAN block fc00::/7" ridentifier 12005 block drop in log on ! lagg0 inet from x.x.x.x/24 to any ridentifier 1000002520 block drop in log inet from x.x.x.x to any ridentifier 1000002520 block drop in log on lagg0 inet6 from fe80::3eec:efff:fe3d:4732 to any ridentifier 1000002520 pass in quick on lagg0 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server" ridentifier 1000002541 pass in quick on lagg0 inet proto udp from any port = bootpc to x.x.x.x port = bootps keep state label "allow access to DHCP server" ridentifier 1000002542 pass out quick on lagg0 inet proto udp from x.x.x.x port = bootps to any port = bootpc keep state label "allow access to DHCP server" ridentifier 1000002543 block drop in log on ! igb1 inet from x.x.x.x/24 to any ridentifier 1000003570 block drop in log inet from x.x.x.x to any ridentifier 1000003570 block drop in log on igb1 inet6 from fe80::ae1f:6bff:fefe:953f to any ridentifier 1000003570 pass in quick on igb1 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server" ridentifier 1000003591 pass in quick on igb1 inet proto udp from any port = bootpc to x.x.x.x port = bootps keep state label "allow access to DHCP server" ridentifier 1000003592 pass out quick on igb1 inet proto udp from x.x.x.x port = bootps to any port = bootpc keep state label "allow access to DHCP server" ridentifier 1000003593 block drop in log on ! lagg0.11 inet from x.x.x.x/24 to any ridentifier 1000004620 block drop in log inet from x.x.x.x to any ridentifier 1000004620 block drop in log on lagg0.11 inet6 from fe80::3eec:efff:fe3d:4732 to any ridentifier 1000004620 pass in quick on lagg0.11 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server" ridentifier 1000004641 pass in quick on lagg0.11 inet proto udp from any port = bootpc to x.x.x.x port = bootps keep state label "allow access to DHCP server" ridentifier 1000004642 pass out quick on lagg0.11 inet proto udp from x.x.x.x port = bootps to any port = bootpc keep state label "allow access to DHCP server" ridentifier 1000004643 block drop in log on ! lagg0.15 inet from x.x.x.x/24 to any ridentifier 1000005670 block drop in log inet from x.x.x.x to any ridentifier 1000005670 block drop in log on lagg0.15 inet6 from fe80::3eec:efff:fe3d:4732 to any ridentifier 1000005670 pass in quick on lagg0.15 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server" ridentifier 1000005691 pass in quick on lagg0.15 inet proto udp from any port = bootpc to x.x.x.x port = bootps keep state label "allow access to DHCP server" ridentifier 1000005692 pass out quick on lagg0.15 inet proto udp from x.x.x.x port = bootps to any port = bootpc keep state label "allow access to DHCP server" ridentifier 1000005693 block drop in log on ! lagg0.20 inet from x.x.x.x/24 to any ridentifier 1000006720 block drop in log inet from x.x.x.x to any ridentifier 1000006720 block drop in log on lagg0.20 inet6 from fe80::3eec:efff:fe3d:4732 to any ridentifier 1000006720 pass in quick on lagg0.20 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server" ridentifier 1000006741 pass in quick on lagg0.20 inet proto udp from any port = bootpc to x.x.x.x port = bootps keep state label "allow access to DHCP server" ridentifier 1000006742 pass out quick on lagg0.20 inet proto udp from x.x.x.x port = bootps to any port = bootpc keep state label "allow access to DHCP server" ridentifier 1000006743 block drop in log on ! lagg0.30 inet from x.x.x.x/24 to any ridentifier 1000007770 block drop in log inet from x.x.x.x to any ridentifier 1000007770 block drop in log on lagg0.30 inet6 from fe80::3eec:efff:fe3d:4732 to any ridentifier 1000007770 pass in quick on lagg0.30 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server" ridentifier 1000007791 pass in quick on lagg0.30 inet proto udp from any port = bootpc to x.x.x.x port = bootps keep state label "allow access to DHCP server" ridentifier 1000007792 pass out quick on lagg0.30 inet proto udp from x.x.x.x port = bootps to any port = bootpc keep state label "allow access to DHCP server" ridentifier 1000007793 block drop in log on ! lagg0.40 inet from x.x.x.x/24 to any ridentifier 1000008820 block drop in log inet from x.x.x.x to any ridentifier 1000008820 block drop in log on lagg0.40 inet6 from fe80::3eec:efff:fe3d:4732 to any ridentifier 1000008820 pass in quick on lagg0.40 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server" ridentifier 1000008841 pass in quick on lagg0.40 inet proto udp from any port = bootpc to x.x.x.x port = bootps keep state label "allow access to DHCP server" ridentifier 1000008842 pass out quick on lagg0.40 inet proto udp from x.x.x.x port = bootps to any port = bootpc keep state label "allow access to DHCP server" ridentifier 1000008843 block drop in log on ! ovpns1 inet from x.x.x.x/24 to any ridentifier 1000009870 block drop in log inet from x.x.x.x to any ridentifier 1000009870 block drop in log on ovpns1 inet6 from fe80::b696:91ff:feb2:f3f0 to any ridentifier 1000009870 pass in on lo0 inet all flags S/SA keep state label "pass IPv4 loopback" ridentifier 1000010961 pass out on lo0 inet all flags S/SA keep state label "pass IPv4 loopback" ridentifier 1000010962 pass in on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback" ridentifier 1000010963 pass out on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback" ridentifier 1000010964 pass out inet all flags S/SA keep state allow-opts label "let out anything IPv4 from firewall host itself" ridentifier 1000010965 pass out inet6 all flags S/SA keep state allow-opts label "let out anything IPv6 from firewall host itself" ridentifier 1000010966 pass out route-to (pppoe0 x.x.x.x) inet from x.x.x.x to ! x.x.x.x flags S/SA keep state allow-opts label "let out anything from firewall host itself" ridentifier 1000011061 pass out route-to (ovpns1 x.x.x.x) inet from x.x.x.x to ! x.x.x.x/24 flags S/SA keep state allow-opts label "let out anything from firewall host itself" ridentifier 1000011062 pass in quick on lagg0 proto tcp from any to (lagg0) port = https flags S/SA keep state label "anti-lockout rule" ridentifier 10001 pass in quick on lagg0 proto tcp from any to (lagg0) port = http flags S/SA keep state label "anti-lockout rule" ridentifier 10001 pass in quick on lagg0 proto tcp from any to (lagg0) port = ssh flags S/SA keep state label "anti-lockout rule" ridentifier 10001 anchor "/*" all pass in quick on openvpn inet all flags S/SA keep state label "USER_RULE: OpenVPN1 allow all" label "id:1641123022" ridentifier 1641123022 pass in quick on pppoe0 reply-to (pppoe0 x.x.x.x) inet proto udp from any to x.x.x.x port = openvpn keep state label "USER_RULE: Open VPN Server Access" label "id:1641121644" ridentifier 1641121644 pass in quick on lagg0 inet from x.x.x.x/24 to any flags S/SA keep state label "USER_RULE: Default allow LAN to any rule" label "id:0100000101" ridentifier 100000101 pass in quick on igb1 inet from x.x.x.x/24 to any flags S/SA keep state label "USER_RULE: LAGLAN to any IPv4 Allow" label "id:1601006074" ridentifier 1601006074 pass in quick on lagg0.11 inet from x.x.x.x/24 to any flags S/SA keep state label "USER_RULE: MNGMTLAN to any IPv4 Allow" label "id:1601007345" ridentifier 1601007345 pass in quick on lagg0.15 inet from x.x.x.x/24 to any flags S/SA keep state label "USER_RULE: FASTLAN to any IPv4 Allow" label "id:1601007508" ridentifier 1601007508 pass in quick on lagg0.20 inet from x.x.x.x/24 to any flags S/SA keep state label "USER_RULE: MAINLAN to any IPv4 Allow" label "id:1601007603" ridentifier 1601007603 block drop in quick on lagg0.30 inet proto tcp from x.x.x.x/24 to (self) port = https flags S/SA label "USER_RULE: Block access to firewall management" label "id:1641111037" ridentifier 1641111037 block drop in quick on lagg0.30 inet proto tcp from x.x.x.x/24 to (self) port = http flags S/SA label "USER_RULE: Block access to firewall management" label "id:1641111037" ridentifier 1641111037 block drop in quick on lagg0.30 inet proto tcp from x.x.x.x/24 to (self) port = ssh flags S/SA label "USER_RULE: Block access to firewall management" label "id:1641111037" ridentifier 1641111037 block drop in quick on lagg0.30 inet from x.x.x.x/24 to x.x.x.x/24 label "USER_RULE: Block access to Management VLAN" label "id:1641112119" ridentifier 1641112119 block drop in quick on lagg0.30 inet from x.x.x.x/24 to x.x.x.x/24 label "USER_RULE: Block access to LAGG VLAN" label "id:1641112672" ridentifier 1641112672 pass in quick on lagg0.30 inet from x.x.x.x/24 to any flags S/SA keep state label "USER_RULE: LMTDLAN to any IPv4 Allow" label "id:1601944154" ridentifier 1601944154 block drop in quick on lagg0.40 inet proto tcp from x.x.x.x/24 to (self) port = https flags S/SA label "USER_RULE: Block access to firewall management" label "id:1641109562" ridentifier 1641109562 block drop in quick on lagg0.40 inet proto tcp from x.x.x.x/24 to (self) port = http flags S/SA label "USER_RULE: Block access to firewall management" label "id:1641109562" ridentifier 1641109562 block drop in quick on lagg0.40 inet proto tcp from x.x.x.x/24 to (self) port = ssh flags S/SA label "USER_RULE: Block access to firewall management" label "id:1641109562" ridentifier 1641109562 block drop in quick on lagg0.40 inet from x.x.x.x/24 to x.x.x.x/24 label "USER_RULE: Block access to Management VLAN" label "id:1641109030" ridentifier 1641109030 block drop in quick on lagg0.40 inet from x.x.x.x/24 to x.x.x.x/24 label "USER_RULE: Block access to LAGG VLAN" label "id:1641109325" ridentifier 1641109325 block drop in quick on lagg0.40 inet from x.x.x.x/24 to x.x.x.x/24 label "USER_RULE: Block access to fast VLAN" label "id:1641109236" ridentifier 1641109236 block drop in quick on lagg0.40 inet from x.x.x.x/24 to x.x.x.x/24 label "USER_RULE: Block access to Main VLAN" label "id:1641109140" ridentifier 1641109140 block drop in quick on lagg0.40 inet from x.x.x.x/24 to x.x.x.x/24 label "USER_RULE: Block access to limited VLAN" label "id:1641109421" ridentifier 1641109421 block drop in quick on lagg0.40 inet from x.x.x.x/24 to x.x.x.x/24 label "USER_RULE: Block access to OPT1" label "id:1641112194" ridentifier 1641112194 pass in quick on lagg0.40 inet from x.x.x.x/24 to any flags S/SA keep state label "USER_RULE: GuestLAN to any IPv4 Allow" label "id:1601944250" ridentifier 1601944250 anchor "/*" all