# # pf.conf -- Server example # # Input: http, https, svn, git # and ssh/2204. # # Strict blocking policy in, except returning # on a UDP port interval to allow traceroute # probing. ext_if="dc0" port_ssh="2204" icmp_types = "echoreq" open_tcp = "{" www https svn git "}" ### # ### table persist { 10.0.0.0/8, 172.16.0.0/12, 224.0.0.0/5, \ 192.168.0.0/16 } table persist table persist ### # ### set block-policy drop set skip on lo0 set timeout { interval 10, frag 30 } set timeout { tcp.first 120, tcp.opening 30, tcp.established 43200 } set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 } set timeout { udp.first 60, udp.single 30, udp.multiple 60 } set timeout { icmp.first 20, icmp.error 10 } set timeout { other.first 60, other.single 30, other.multiple 60 } set timeout { adaptive.start 0, adaptive.end 0 } set limit { states 5000, frags 2000 } set loginterface $ext_if set optimization normal set ruleset-optimization basic set require-order yes set fingerprints "/etc/pf.os" ### # ### scrub in all fragment reassemble random-id ### # ### block all block in quick on $ext_if inet6 block in quick on $ext_if inet from to any block in quick on $ext_if inet from to any antispoof quick for { lo $int_if } pass out keep state pass quick on $int_if keep state block in quick on $ext_if inet \ proto tcp \ from pass in log quick on $ext_if inet \ proto tcp \ to ($ext_if) port $port_ssh \ flags S/SA synproxy state pass in quick on $ext_if inet \ proto udp \ from any port bootps \ to any port bootpc \ keep state pass out quick on $ext_if inet \ proto udp \ from any port bootpc \ keep state pass in quick on $ext_if \ proto tcp \ to ($ext_if) port $open_tcp \ flags S/SA synproxy state pass out log on $ext_if inet \ proto tcp \ to any port smtp \ keep state pass in on $ext_if inet \ proto icmp all icmp-type $icmp_types \ keep state block return in on $ext_if inet proto udp \ from any to ($ext_if) port 33433 >< 33626