= FreeBSD PF Firewall Examples = PF Example for VPN / OPENVPN / NAT : {{{ ### Interfaces ### ExtIf ="em0" BackIf ="em1" TunIf ="tun0" ### Services ### my_ssh_services = "{ 22, 53, 2222, 2525 }" my_web_services = "{ 80, 443 }" ### Hosts / Networks / Groups ### outside_ip ="111.22.33.44" outside_ip6 ="111:222:333:44::5" back_ip ="192.168.19.1" remote_net = "192.168.1.0/24" back_net = "192.168.19.0/24" vpn_net = "192.168.20.0/24" ### Options ### set block-policy drop set fingerprints "/etc/pf.os" set ruleset-optimization none ### Timeouts ### set optimization normal set timeout { tcp.closing 60, tcp.established 7200 } ### Queues, States and Types ### TcpState ="flags S/SA modulate state" PlainState ="flags S/SA keep state" UdpState ="keep state" ### Stateful Tracking Options (STO) ### OpenSTO = "(max 90000, source-track rule, max-src-conn 1000, max-src-nodes 256)" SmtpSTO = "(max 200, source-track rule, max-src-conn 10, max-src-nodes 256, max-src-conn-rate 200/30)" SshSTO = "(max 100, source-track rule, max-src-conn 64, max-src-nodes 100, max-src-conn-rate 100/30, overload flush global)" WebSTO = "(max 4096, source-track rule, max-src-conn 256, max-src-nodes 512, max-src-conn-rate 500/100, overload flush global)" scrub log on $ExtIf all reassemble tcp fragment reassemble scrub out on $ExtIf no-df random-id set skip on lo0 nat on $ExtIf from $vpn_net to any -> $outside_ip static-port nat on $ExtIf from $back_net to any -> $outside_ip static-port no rdr # Final rule - goes first. block in log all # Inbound # SSH pass in on $ExtIf proto tcp from any to { $outside_ip, $outside_ip6 } \ port $my_ssh_services $TcpState $SshSTO # Web pass in on $ExtIf proto tcp from any to { $outside_ip, $outside_ip6 } \ port $my_web_services $TcpState $WebSTO # Allow anything from remote network to backend network pass in quick on $TunIf reply-to $TunIf from $remote_net to $back_net $UdpState pass in quick on $TunIf reply-to $TunIf proto tcp from $remote_net to $back_net $TcpState pass in quick on $TunIf reply-to $TunIf inet proto icmp from $remote_net to $back_net # This server outbound pass out on $ExtIf from $outside_ip to any $UdpState pass out on $ExtIf proto tcp from $outside_ip to any $TcpState pass out on $ExtIf inet proto icmp from $outside_ip to any pass out on $ExtIf inet6 proto ipv6-icmp from $outside_ip6 to any pass out on $BackIf from $back_ip to any $UdpState pass out on $BackIf proto tcp from $back_ip to any $TcpState pass out on $BackIf inet proto icmp from $back_ip to any # Allow outbound from VPN clients pass in on $TunIf from $vpn_net to any $UdpState pass in on $TunIf proto tcp from $vpn_net to any $TcpState pass in on $TunIf inet proto icmp from $vpn_net to any # All outbound from backend network pass in on $BackIf from $back_net to !$remote_net $UdpState pass in on $BackIf proto tcp from $back_net to !$remote_net $TcpState pass in on $BackIf inet proto icmp from $back_net to !$remote_net # End of config }}}