# tags, in this pf.conf.
# IN - inbound traffic (Bittorrent and SSH)
# OUT - packets heading to the greater internet
# NAT - translated packets, created from OUT.
# MACROS
# external
ext_if = "sis0"
# internal
int_if = "sis1"
# ignored again
#dmz_if = "sis2"
# rfc1918
#private = "{" 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 "}"
# rawbw network
rawbw = "{ 198.144.192.0/19 }"
# internal systems
shiva = "10.10.13.13"
kalix = "10.10.13.23"
sqbox = "10.10.13.25"
# instant messaging
im_port = "{ 706 1863 5190 5222 6667 }"
# http ports
http_port = "{ 80 443 8080 }"
## TABLES
# - moving trusted hosts to a table to allow dynamic additions
# trusted hosts
# 64.62.161.110 = caustic
# 69.239.198.33 = sensage-NAT
# 64.101.112.[58,60] = blackops
# 72.1.148.227 = scalvert
table <trusted_hosts> persist { 64.62.161.110, 64.101.112.58, 69.239.198.33, 72.
1.148.227 }
## OPTIONS
# - log on the external interface, skip filtering on loopback
# - drop links aggressively
# - all states are bound by interface
set skip on lo
set block-policy drop
set loginterface $ext_if
#set optimization aggressive
set state-policy if-bound
#set debug loud
## NORMALIZATION (scrub)
# internal (sis1)
# - we rebuild fragments before sending them out
# - we also fix tcp ids, to ensure no prediction
# external (sis0)
# - reassemble tcp on the external interface. Just because we can.
scrub in on $int_if fragment reassemble random-id
scrub on $ext_if reassemble tcp
## QUEUES
# - tcp_ack goes out, period.
# - dns, ssh, http.. all are outbound requests.. the only difference
# - is that ssh/IM has smaller/lighter packets for interactive messages
# - squeezebox traffic is special in a very special way.
# See $sqbox's rules
altq on $ext_if priq bandwidth 460Kb queue {qo_tcp_ack, qo_http, qo_squeezebox,
qo_ssh_im, qo_dns, qo_def, qo_null}
queue qo_tcp_ack priority 7
queue qo_dns priority 5
queue qo_ssh_im priority 4
queue qo_squeezebox priority 3
queue qo_http priority 2
queue qo_def priority 1 priq(default)
queue qo_null priority 0
## TRANSLATION (NAT)
#
# - redirects are for inbound traffic only.
# - while blocking in the rules below would work, it's easier to
# redirect only traffic from specific hosts instead.
rdr on $ext_if proto {tcp, udp} from any to ($ext_if) port 6881:6889 \
tag IN -> $kalix port 6881:6889
rdr on $ext_if proto tcp from <trusted_hosts> to ($ext_if) port 80 \
tag IN -> $shiva port 80
rdr on $ext_if proto tcp from <trusted_hosts> to ($ext_if) port 2222 \
tag IN -> $kalix port 22
rdr on $ext_if proto tcp from <trusted_hosts> to ($ext_if) port 22 \
tag IN -> $shiva port 22
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr on $int_if proto tcp from ($int_if:network) to any port 21 \
tagged OUT -> 127.0.0.1 port 8021
nat on $ext_if tag NAT tagged IN -> ($ext_if) static-port
nat on $ext_if tag NAT tagged OUT -> ($ext_if) static-port
## FILTERS
## - details per rule groups
# default deny
block log all
# anchors
anchor "ftp-proxy/*"
# inbound $int_if
# - we're no longer using cbq on traffic inbound. So I removed
# a good selection of rules that were extranious.
pass in quick on $int_if from ($int_if:network) to ! ($int_if:network) \
tag OUT keep state
pass in quick on $int_if from ($int_if:network) to ($int_if:network) \
tag INT keep state
# outbound $int_if
# - traffic headed to internal systems...
pass out quick on $int_if tagged IN keep state
pass out quick on $int_if tagged INT keep state
pass out quick on $int_if from ($int_if) keep state
## outbound $ext_if
# - priq, for great justice
# - the $sqbox has to be after ftp, etc, but before http.
# - in spite of being on DHCP, the $sqbox has a static IP.
# - all $sqbox traffic is higher priority than general network
# traffic, since when it's on.. it's doing something important,
# like playing music.
# - all traffic heading out of the local net is tagged "NAT".
pass out quick on $ext_if proto tcp from any to any port 22 \
flags S/SA tagged NAT modulate state \
queue (qo_def, qo_ssh_im)
pass out quick on $ext_if proto {udp, tcp} from any to any port 53 \
tagged NAT modulate state \
queue qo_dns
pass out quick on $ext_if proto tcp from any to port $im_port \
flags S/SA tagged NAT modulate state \
queue (qo_def, qo_ssh_im)
pass out quick on $ext_if proto tcp from any to any port 3483 \
flags S/SA tagged NAT modulate state \
queue (qo_squeezebox, qo_tcp_ack)
pass out quick on $ext_if proto tcp from any to any port $http_port \
flags S/SA tagged NAT modulate state \
queue (qo_http, qo_tcp_ack)
# outbound defaults
# - covers all other tcp, udp, and icmp traffic not deliberately assigned
# a queue above.
pass out quick on $ext_if proto tcp from any to any flags S/SA \
tagged NAT modulate state queue (qo_def, qo_tcp_ack)
pass out quick on $ext_if proto udp tagged NAT \
modulate state queue qo_def
pass out quick on $ext_if tagged NAT \
modulate state queue qo_def
# outbound external interface
pass out quick on $ext_if proto {tcp,udp} from ($ext_if) to any \
port 53 keep state queue qo_dns
pass out quick on $ext_if proto tcp from ($ext_if) to any \
keep state queue (qo_def, qo_tcp_ack)
pass out quick on $ext_if from ($ext_if) to any keep state \
queue qo_def
## inbound $ext_if
pass in quick on $ext_if proto {tcp,udp} from any to $kalix \
port 6881:6889 tagged IN flags S/SA synproxy state \
queue (qo_def, qo_tcp_ack)
pass in quick on $ext_if proto tcp from any to $shiva port 22 \
tagged IN flags S/SA synproxy state queue (qo_def, qo_ssh_im)
pass in quick on $ext_if proto tcp from any to $kalix port 22 \
tagged IN flags S/SA synproxy state queue (qo_def, qo_ssh_im)
pass in quick on $ext_if proto tcp from any to $shiva port { 80 443 } \
tagged IN flags S/SA synproxy state queue (qo_def, qo_tcp_ack)
pass in quick on $ext_if proto icmp from any to ($ext_if) \
keep state queue qo_def probability 10%