All pastes #821615 Raw Edit

Untitled

public text v1 · immutable
#821615 ·published 2007-12-18 06:36 UTC
rendered paste body
#       $OpenBSD: pf.conf,v 1.34 2007/02/24 19:30:59 millert Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.

#
# pf.conf file for juniper.koruld.com
#       An OpenBSD 4.1 firewall for the koruld network on a p200
#
# The order of this file is important, and should be as follows:
# Macros, tables, options, scrub, queuing, translation, filter rules
#


#
# Section I: Macros
#
# interface definitions
ext_if="dc0"
int_if="fxp0"


#
# Section II: Tables
#
table <sshd-spammers> persist file "/etc/pf-sshd-spammers"
table <goodguys> persist


#
# Section III: Options
#
set block-policy return
set loginterface $ext_if
set skip on lo


#
# Section IV: Scrub
#
scrub in on $ext_if all


#
# Section V: Queuing
#


#
# Section VI: Translation
#
nat on $ext_if from !($ext_if) -> ($ext_if:0) static-port
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"

# web services
rdr on $ext_if proto tcp from any to any port 80 -> hanoi
rdr on $ext_if proto tcp from any to any port 443 -> hanoi
rdr on $ext_if proto tcp from any to any port 4242 -> hanoi
rdr on $ext_if proto tcp from any to any port 8000 -> hanoi


# samarkand custom sshd port
#rdr on $ext_if proto tcp from any to any port 22322 -> samarkand port 22


# torrent stuff
# 2706 is ctorrent
rdr on $ext_if proto tcp from any to any port 2706 -> samarkand
rdr on $ext_if proto tcp from any to any port 2707 -> hanoi
#rdr on $ext_if proto  tcp from any to any port 6881:6999 -> samarkand

anchor "ftp-proxy/*"


#
# Section VII: Filter Rules
#
#
pass in quick on $ext_if inet proto tcp from any to $ext_if port 22 \
flags S/SA keep state (max-src-conn 15, max-src-conn-rate 5/30, \
overload <sshd-spammers> flush global)

pass in quick on $int_if from any to any
pass out quick on $int_if from any to any

pass in quick on lo0 from any to any
pass out quick on lo0 from any to any

# some quick blocks for sshd spammers
block in quick on $ext_if proto tcp from <sshd-spammers> to any port 22

# default allow all traffic
pass in all
pass out all