FreeBSD PF Firewall Examples

PF Example for VPN / OPENVPN / NAT :

Note :

Extif : Outside Network

BackIf : Inside (local) network

TunIf : vpn network connection

### Interfaces ###
ExtIf ="em0"
BackIf ="em1"
TunIf ="tun0"

### Services ###
my_ssh_services = "{ 22, 53, 2222, 2525 }"
my_web_services = "{ 80, 443 }"

### Hosts / Networks / Groups ###
outside_ip ="111.22.33.44"
outside_ip6 ="111:222:333:44::5"
back_ip ="192.168.19.1"
remote_net = "192.168.1.0/24"
back_net = "192.168.19.0/24"
vpn_net = "192.168.20.0/24"

### Options ###
set block-policy drop
set fingerprints "/etc/pf.os"
set ruleset-optimization none

### Timeouts ###
set optimization normal
set timeout { tcp.closing 60, tcp.established 7200 }

### Queues, States and Types ###
TcpState ="flags S/SA modulate state"
PlainState ="flags S/SA keep state"
UdpState ="keep state"

### Stateful Tracking Options (STO) ###
OpenSTO = "(max 90000, source-track rule, max-src-conn 1000, max-src-nodes 256)"
SmtpSTO = "(max   200, source-track rule, max-src-conn   10, max-src-nodes 256, max-src-conn-rate 200/30)"
SshSTO  = "(max   100, source-track rule, max-src-conn   64, max-src-nodes 100, max-src-conn-rate 100/30,  overload <childrens> flush global)"
WebSTO  = "(max  4096, source-track rule, max-src-conn 256, max-src-nodes 512, max-src-conn-rate 500/100, overload <childrens> flush global)"

scrub log on $ExtIf all reassemble tcp fragment reassemble
scrub out on $ExtIf no-df random-id

set skip on lo0

nat on $ExtIf from $vpn_net to any -> $outside_ip static-port
nat on $ExtIf from $back_net to any -> $outside_ip static-port

no rdr

# Final rule - goes first.
block in log all

# Inbound
# SSH
pass in on $ExtIf proto tcp from any to { $outside_ip, $outside_ip6 } \
port $my_ssh_services $TcpState $SshSTO

# Web
pass in on $ExtIf proto tcp from any to { $outside_ip, $outside_ip6 } \
port $my_web_services $TcpState $WebSTO

# Allow anything from remote network to backend network
pass in quick on $TunIf reply-to $TunIf from $remote_net to $back_net $UdpState
pass in quick on $TunIf reply-to $TunIf proto tcp from $remote_net to $back_net $TcpState
pass in quick on $TunIf reply-to $TunIf inet proto icmp from $remote_net to $back_net

# This server outbound
pass out on $ExtIf from $outside_ip to any $UdpState
pass out on $ExtIf proto tcp from $outside_ip to any $TcpState
pass out on $ExtIf inet proto icmp from $outside_ip to any
pass out on $ExtIf inet6 proto ipv6-icmp from $outside_ip6 to any

pass out on $BackIf from $back_ip to any $UdpState
pass out on $BackIf proto tcp from $back_ip to any $TcpState
pass out on $BackIf inet proto icmp from $back_ip to any

# Allow outbound from VPN clients
pass in on $TunIf from $vpn_net to any $UdpState
pass in on $TunIf proto tcp from $vpn_net to any $TcpState
pass in on $TunIf inet proto icmp from $vpn_net to any

# All outbound from backend network
pass in on $BackIf from $back_net to !$remote_net $UdpState
pass in on $BackIf proto tcp from $back_net to !$remote_net $TcpState
pass in on $BackIf inet proto icmp from $back_net to !$remote_net

# End of config

Origional :



my_int = "vtnet0"
internal_net = "192.168.0.0/16"
external_addr = "37.48.xx.xx"
nat on $my_int from $internal_net to any -> $external_addr
set skip on lo
block in log all
pass in on $my_int proto tcp from any to any port 22 keep state
pass in on $my_int proto tcp from any to any port 80 keep state
pass in on $my_int proto tcp from any to any port 1194 keep state
pass in on $my_int proto udp from any to any port 1194 keep state
pass in quick on $my_int proto icmp all keep state
pass in proto gre all keep state
pass in from any to $internal_net
pass in from $internal_net to any
pass out proto { gre, tcp, udp, icmp } all keep state

# default openvpn settings for the client network
vpnclients = "10.8.0.0/24"
#put your wan interface here (it will almost certainly be different)
wanint = "vtnet0"
# put your tunnel interface here, it is usually tun0
vpnint = "tun0"
# OpenVPN by default runs on udp port 1194
udpopen = "{1194}"
icmptypes = "{echoreq, unreach}"

set skip on lo
# the essential line
nat on $wanint inet from $vpnclients to any -> $wanint

block in
pass in on $wanint proto udp from any to $wanint port $udpopen
pass in on $wanint proto tcp from any to any port 22 keep state
pass in on $wanint proto tcp from any to any port 80 keep state
pass in on $wanint proto tcp from any to any port 443 keep state
# the following two lines could be made stricter if you don't trust the clients
pass out quick
pass in on $vpnint from any to any
pass in inet proto icmp all icmp-type $icmptypes