= FreeBSD PF Firewall Examples = PF Example for VPN / OPENVPN / NAT : Note : Extif : Outside Network !BackIf : Inside (local) network !TunIf : vpn network connection {{{ ### Interfaces ### ExtIf ="em0" BackIf ="em1" TunIf ="tun0" ### Services ### my_ssh_services = "{ 22, 53, 2222, 2525 }" my_web_services = "{ 80, 443 }" ### Hosts / Networks / Groups ### outside_ip ="111.22.33.44" outside_ip6 ="111:222:333:44::5" back_ip ="192.168.19.1" remote_net = "192.168.1.0/24" back_net = "192.168.19.0/24" vpn_net = "192.168.20.0/24" ### Options ### set block-policy drop set fingerprints "/etc/pf.os" set ruleset-optimization none ### Timeouts ### set optimization normal set timeout { tcp.closing 60, tcp.established 7200 } ### Queues, States and Types ### TcpState ="flags S/SA modulate state" PlainState ="flags S/SA keep state" UdpState ="keep state" ### Stateful Tracking Options (STO) ### OpenSTO = "(max 90000, source-track rule, max-src-conn 1000, max-src-nodes 256)" SmtpSTO = "(max 200, source-track rule, max-src-conn 10, max-src-nodes 256, max-src-conn-rate 200/30)" SshSTO = "(max 100, source-track rule, max-src-conn 64, max-src-nodes 100, max-src-conn-rate 100/30, overload flush global)" WebSTO = "(max 4096, source-track rule, max-src-conn 256, max-src-nodes 512, max-src-conn-rate 500/100, overload flush global)" scrub log on $ExtIf all reassemble tcp fragment reassemble scrub out on $ExtIf no-df random-id set skip on lo0 nat on $ExtIf from $vpn_net to any -> $outside_ip static-port nat on $ExtIf from $back_net to any -> $outside_ip static-port no rdr # Final rule - goes first. block in log all # Inbound # SSH pass in on $ExtIf proto tcp from any to { $outside_ip, $outside_ip6 } \ port $my_ssh_services $TcpState $SshSTO # Web pass in on $ExtIf proto tcp from any to { $outside_ip, $outside_ip6 } \ port $my_web_services $TcpState $WebSTO # Allow anything from remote network to backend network pass in quick on $TunIf reply-to $TunIf from $remote_net to $back_net $UdpState pass in quick on $TunIf reply-to $TunIf proto tcp from $remote_net to $back_net $TcpState pass in quick on $TunIf reply-to $TunIf inet proto icmp from $remote_net to $back_net # This server outbound pass out on $ExtIf from $outside_ip to any $UdpState pass out on $ExtIf proto tcp from $outside_ip to any $TcpState pass out on $ExtIf inet proto icmp from $outside_ip to any pass out on $ExtIf inet6 proto ipv6-icmp from $outside_ip6 to any pass out on $BackIf from $back_ip to any $UdpState pass out on $BackIf proto tcp from $back_ip to any $TcpState pass out on $BackIf inet proto icmp from $back_ip to any # Allow outbound from VPN clients pass in on $TunIf from $vpn_net to any $UdpState pass in on $TunIf proto tcp from $vpn_net to any $TcpState pass in on $TunIf inet proto icmp from $vpn_net to any # All outbound from backend network pass in on $BackIf from $back_net to !$remote_net $UdpState pass in on $BackIf proto tcp from $back_net to !$remote_net $TcpState pass in on $BackIf inet proto icmp from $back_net to !$remote_net # End of config }}} {{{ Origional : my_int = "vtnet0" internal_net = "192.168.0.0/16" external_addr = "37.48.xx.xx" nat on $my_int from $internal_net to any -> $external_addr set skip on lo block in log all pass in on $my_int proto tcp from any to any port 22 keep state pass in on $my_int proto tcp from any to any port 80 keep state pass in on $my_int proto tcp from any to any port 1194 keep state pass in on $my_int proto udp from any to any port 1194 keep state pass in quick on $my_int proto icmp all keep state pass in proto gre all keep state pass in from any to $internal_net pass in from $internal_net to any pass out proto { gre, tcp, udp, icmp } all keep state }}} {{{ # default openvpn settings for the client network vpnclients = "10.8.0.0/24" #put your wan interface here (it will almost certainly be different) wanint = "vtnet0" # put your tunnel interface here, it is usually tun0 vpnint = "tun0" # OpenVPN by default runs on udp port 1194 udpopen = "{1194}" icmptypes = "{echoreq, unreach}" set skip on lo # the essential line nat on $wanint inet from $vpnclients to any -> $wanint block in pass in on $wanint proto udp from any to $wanint port $udpopen pass in on $wanint proto tcp from any to any port 22 keep state pass in on $wanint proto tcp from any to any port 80 keep state pass in on $wanint proto tcp from any to any port 443 keep state # the following two lines could be made stricter if you don't trust the clients pass out quick pass in on $vpnint from any to any pass in inet proto icmp all icmp-type $icmptypes }}}