| | 1 | = FreeBSD PF Firewall Examples = |
| | 2 | |
| | 3 | PF Example for VPN / OPENVPN / NAT : |
| | 4 | |
| | 5 | {{{ |
| | 6 | ### Interfaces ### |
| | 7 | ExtIf ="em0" |
| | 8 | BackIf ="em1" |
| | 9 | TunIf ="tun0" |
| | 10 | |
| | 11 | ### Services ### |
| | 12 | my_ssh_services = "{ 22, 53, 2222, 2525 }" |
| | 13 | my_web_services = "{ 80, 443 }" |
| | 14 | |
| | 15 | ### Hosts / Networks / Groups ### |
| | 16 | outside_ip ="111.22.33.44" |
| | 17 | outside_ip6 ="111:222:333:44::5" |
| | 18 | back_ip ="192.168.19.1" |
| | 19 | remote_net = "192.168.1.0/24" |
| | 20 | back_net = "192.168.19.0/24" |
| | 21 | vpn_net = "192.168.20.0/24" |
| | 22 | |
| | 23 | ### Options ### |
| | 24 | set block-policy drop |
| | 25 | set fingerprints "/etc/pf.os" |
| | 26 | set ruleset-optimization none |
| | 27 | |
| | 28 | ### Timeouts ### |
| | 29 | set optimization normal |
| | 30 | set timeout { tcp.closing 60, tcp.established 7200 } |
| | 31 | |
| | 32 | ### Queues, States and Types ### |
| | 33 | TcpState ="flags S/SA modulate state" |
| | 34 | PlainState ="flags S/SA keep state" |
| | 35 | UdpState ="keep state" |
| | 36 | |
| | 37 | ### Stateful Tracking Options (STO) ### |
| | 38 | OpenSTO = "(max 90000, source-track rule, max-src-conn 1000, max-src-nodes 256)" |
| | 39 | SmtpSTO = "(max 200, source-track rule, max-src-conn 10, max-src-nodes 256, max-src-conn-rate 200/30)" |
| | 40 | SshSTO = "(max 100, source-track rule, max-src-conn 64, max-src-nodes 100, max-src-conn-rate 100/30, overload <childrens> flush global)" |
| | 41 | WebSTO = "(max 4096, source-track rule, max-src-conn 256, max-src-nodes 512, max-src-conn-rate 500/100, overload <childrens> flush global)" |
| | 42 | |
| | 43 | scrub log on $ExtIf all reassemble tcp fragment reassemble |
| | 44 | scrub out on $ExtIf no-df random-id |
| | 45 | |
| | 46 | set skip on lo0 |
| | 47 | |
| | 48 | nat on $ExtIf from $vpn_net to any -> $outside_ip static-port |
| | 49 | nat on $ExtIf from $back_net to any -> $outside_ip static-port |
| | 50 | |
| | 51 | no rdr |
| | 52 | |
| | 53 | # Final rule - goes first. |
| | 54 | block in log all |
| | 55 | |
| | 56 | # Inbound |
| | 57 | # SSH |
| | 58 | pass in on $ExtIf proto tcp from any to { $outside_ip, $outside_ip6 } \ |
| | 59 | port $my_ssh_services $TcpState $SshSTO |
| | 60 | |
| | 61 | # Web |
| | 62 | pass in on $ExtIf proto tcp from any to { $outside_ip, $outside_ip6 } \ |
| | 63 | port $my_web_services $TcpState $WebSTO |
| | 64 | |
| | 65 | # Allow anything from remote network to backend network |
| | 66 | pass in quick on $TunIf reply-to $TunIf from $remote_net to $back_net $UdpState |
| | 67 | pass in quick on $TunIf reply-to $TunIf proto tcp from $remote_net to $back_net $TcpState |
| | 68 | pass in quick on $TunIf reply-to $TunIf inet proto icmp from $remote_net to $back_net |
| | 69 | |
| | 70 | # This server outbound |
| | 71 | pass out on $ExtIf from $outside_ip to any $UdpState |
| | 72 | pass out on $ExtIf proto tcp from $outside_ip to any $TcpState |
| | 73 | pass out on $ExtIf inet proto icmp from $outside_ip to any |
| | 74 | pass out on $ExtIf inet6 proto ipv6-icmp from $outside_ip6 to any |
| | 75 | |
| | 76 | pass out on $BackIf from $back_ip to any $UdpState |
| | 77 | pass out on $BackIf proto tcp from $back_ip to any $TcpState |
| | 78 | pass out on $BackIf inet proto icmp from $back_ip to any |
| | 79 | |
| | 80 | # Allow outbound from VPN clients |
| | 81 | pass in on $TunIf from $vpn_net to any $UdpState |
| | 82 | pass in on $TunIf proto tcp from $vpn_net to any $TcpState |
| | 83 | pass in on $TunIf inet proto icmp from $vpn_net to any |
| | 84 | |
| | 85 | # All outbound from backend network |
| | 86 | pass in on $BackIf from $back_net to !$remote_net $UdpState |
| | 87 | pass in on $BackIf proto tcp from $back_net to !$remote_net $TcpState |
| | 88 | pass in on $BackIf inet proto icmp from $back_net to !$remote_net |
| | 89 | |
| | 90 | # End of config |
| | 91 | }}} |
