#Vectorstar pf.conf # 02/28/07 ##### ## Configuration Options # IF_ISP = "fxp0" IF_WAN = "vlan2" IF_HOME = "vlan4" # Network definition (for nat) N_HOME = "192.168.1.0/24" # Server restrictions S_ALL = "71.41.67.104/29" S_DNS = "{ 71.41.67.107/32, 71.41.67.108/32 }" S_FTP = "{ 71.41.67.107/32, 71.41.67.109/32 }" S_MAIL = "{ 71.41.67.108/32, 71.41.67.109/32 }" S_SHELL = "71.41.67.105/29" S_WEB = "71.41.67.105/29" S_FW = "71.41.67.106/32" S_PBX = "192.168.1.21/32" # Blocked Ports BLOCKEDPORTS = "{ 6667, 6668, 6669 }" # Blocked Hosts BLOCKEDHOSTS = "{ 218.212.207.0/24, 85.186.223.0/24, 67.170.35.42/32, 63.246.131.140/32, 69.59.184.196/32, 219.136.191.93/32, 212.175.99.9/32, 222.90.77.158/32 }" # Shortcut arguments FLAGS = "flags S/SA" STATE = "keep state" ##### ## Main defaults #set optimization aggressive scrub in all # Bandwidth/QoS specifications # Higher priority number = higher real priority altq on $IF_ISP bandwidth 768Kb hfsc queue { known, unknown } queue known bandwidth 95% priority 1 { vpn, shit, home, icmp, http, mail, ftp, ssh, dns } queue unknown bandwidth 5% priority 1 hfsc(default) queue vpn bandwidth 10% priority 7 hfsc(realtime 20% upperlimit 50%) queue shit bandwidth 1% priority 0 hfsc(realtime 1% upperlimit 25%) queue home bandwidth 10% priority 1 hfsc(realtime 20% upperlimit 95%) queue icmp bandwidth 1% priority 0 hfsc(realtime 1% upperlimit 5%) queue http bandwidth 10% priority 3 hfsc(realtime 10% upperlimit 95%) queue mail bandwidth 10% priority 4 hfsc(realtime 5% upperlimit 75%) queue ssh bandwidth 10% priority 7 hfsc(realtime 10% upperlimit 25%) queue ftp bandwidth 10% priority 2 hfsc(realtime 10% upperlimit 55%) queue dns bandwidth 10% priority 6 hfsc(realtime 5% upperlimit 25%) ##### ## NAT Rules - must be inbetween queues and filtering # nat on $IF_WAN from $N_HOME -> ($IF_WAN:0) #nat on $IF_WAN proto udp from $S_PBX to any -> ($IF_WAN:0) static-port # haus-data web server passthru rdr pass on $IF_WAN proto tcp to $S_FW port 80 -> 192.168.1.22 port 80 # ElectricSheep bittorrent passthru to alice rdr pass on $IF_WAN proto tcp to $S_FW port 6881 -> 192.168.1.100 # VOIP protocols to pbx passthru rdr pass on $IF_WAN proto udp to $S_FW port 10000:20000 -> $S_PBX # RTP matching asterisk's port range configured in rtp.conf rdr pass on $IF_WAN proto tcp to $S_FW port 81 -> $S_PBX port 80 # HTTP mgmt rdr pass on $IF_WAN proto udp to $S_FW port {5060,4569} -> $S_PBX # SIP and IAX2 Signal # VOIP Keep State on Signaling traffic in order to handle remote firewall traversal pass in quick on $IF_WAN proto udp from any to $S_FW port {5060,4569} $STATE queue vpn ### Loopback defaults pass in quick on lo0 all pass out quick on lo0 all ### ISP defaults pass out quick on $IF_ISP all $STATE #queue outbound block in on $IF_ISP all # Block inbound traffic from blocked hosts block in log quick on $IF_ISP from $BLOCKEDHOSTS to any ### WAN defaults # ident: don't let our servers request ident on outside people block return-rst in quick on $IF_WAN proto tcp from $S_ALL to any port auth # Block outbound traffic on disallowed ports block in log quick on $IF_WAN proto { tcp, udp } from any to any port $BLOCKEDPORTS pass out quick on $IF_WAN all pass in quick on $IF_WAN all #$STATE ### Home port settings # QoS-protect VPN sessions pass in quick on $IF_HOME proto tcp from any to 65.207.138.4 port 10000 queue vpn pass in quick on $IF_HOME proto udp from any to 65.207.138.4 port 500 queue vpn # QoS-protect voice traffic from PBX outbound pass in quick on $IF_HOME proto udp from $S_PBX to any $STATE queue vpn pass in quick on $IF_HOME proto udp from any to 147.135.20.247/32 queue vpn # Throttle haus website pass in quick on $IF_HOME from 192.168.1.151 to any queue ftp # Throttle electric sheep bittorrent pass in quick on $IF_HOME proto tcp from 192.168.1.100 port 6881 to any queue shit # Default traffic from home network pass in quick on $IF_HOME all queue home pass out quick on $IF_HOME all ##### ## Section 1: All Servers # # block LAN spoofing attempts. # Because of our gateway being on the opposite side of the link, enabling # this rule will shut off the internet! ACK! #block out quick on $IF_WAN proto {tcp,udp,icmp} from $S_ALL to any # ICMP (all icmp messages) # pf doesn't like the flags pass in quick on $IF_ISP proto icmp from any to $S_ALL $STATE queue icmp pass in quick on $IF_ISP proto icmp from any to $S_ALL icmp-type {3,11} $STATE queue icmp # HTTP pass in quick on $IF_ISP proto tcp from any to $S_WEB port {80,443} $FLAGS $STATE queue http ##### ## Section 2: Simple server-specific # # Section 2.1: FTP Server # no S/SA here pass in quick on $IF_ISP proto tcp from any to $S_FTP port {21,20} $STATE queue ftp # Passive Ports >65000 must be configured in FTP daemon as well. pass in quick on $IF_ISP proto tcp from any to $S_FTP port > 65000 $FLAGS $STATE queue ftp # Section 2.2: DNS pass in quick on $IF_ISP proto {tcp,udp} from any to $S_DNS port 53 $FLAGS $STATE queue dns # Section 2.3: Shell Server # SSH - must keep state pass in quick on $IF_ISP proto tcp from any to $S_SHELL port 22 $FLAGS $STATE queue ssh # Telnet #pass in quick on $IF_ISP proto tcp from any to $S_SHELL port 23 $FLAGS $STATE queue ssh # Section 2.4: Mail Server # SMTP pass in quick on $IF_ISP proto tcp from any to $S_MAIL port {25,465} $FLAGS $STATE queue mail # POP3 pass in quick on $IF_ISP proto tcp from any to $S_MAIL port {110,995} $FLAGS $STATE queue mail # IMAP pass in quick on $IF_ISP proto tcp from any to $S_MAIL port {143,993} $FLAGS $STATE queue mail ##### ## End of file. #