-
Notifications
You must be signed in to change notification settings - Fork 0
/
pf.conf
54 lines (41 loc) · 1.89 KB
/
pf.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
# Define variables
ext_if="vtnet0"
int_if="vtnet1"
localnet=$int_if:network
icmp_types="{ echoreq, unreach }"
icmp6_types="{ neighbrsol, neighbradv, echoreq, unreach }" # ICMPv6 types
# Set options
set skip on lo
set limit states 10000
# Translation: NAT rule for IPv4
nat on $ext_if inet from !($ext_if) -> ($ext_if:0)
# Normalization: Scrub in all packets
match in all scrub (no-df max-mss 1440)
match out all scrub (random-id)
# IPv4 Filtering rules
# Block bogon and private networks for IPv4
table <bogons> persist { 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 }
block in quick on $ext_if from <bogons>
block in quick on $ext_if from { 192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12 }
# Enable logging for blocked IPv4 packets
block log all
# Define a table for specific IP addresses allowed for internal SSH access
table <allowed_internal_ssh> { 10.137.130.2 } # Replace with actual IPs
# Allow IPv4 traffic
pass from {self, $localnet} to any keep state
pass in quick inet proto icmp all icmp-type $icmp_types keep state
pass in on $int_if from {$localnet} to any keep state
pass out on $ext_if from {self} to any keep state
pass in on $int_if proto tcp from <allowed_internal_ssh> to self port 22 keep state
pass in on $int_if proto { udp, tcp } from $localnet to self port 53 keep state
# IPv6 Filtering rules (commented out)
# Block undesired IPv6 traffic (modify as needed)
# block quick inet6 all
# Allow ICMPv6 for essential IPv6 functionality
# pass inet6 proto icmp6 all icmp6-type $icmp6_types keep state
# Allow IPv6 traffic from internal network
# pass in quick inet6 from $localnet to any keep state
# pass out quick inet6 from any to $localnet keep state
# Allow IPv6 SSH and DNS if required (similar to IPv4 rules)
# pass in on $int_if inet6 proto tcp from <allowed_internal_ssh> to self port 22 keep state
# pass in on $int_if inet6 proto { udp, tcp } from $localnet to self port 53 keep state