39126690
 Miguel Barão
removes npm and n...
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
|
# Public interface
ext_if="em0"
table <bruteforce> persist
# Set and drop these IP ranges on public interface
martians = "{ 0.0.0.0/8, 127.0.0.0/8 }"
# 192.168.0.0/16, 172.16.0.0/12, \
# 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
# 240.0.0.0/4 }"
webports = "{ 8080, 8443 }"
tcp_services = "{ domain, ntp, smtp, www, https, ssh }"
udp_services = "{ domain, ntp }"
# Skip all PF processing on loopback interface
set skip on lo
# Log statistics on interface
set loginterface $ext_if
# Packet normalization
scrub in all
# Redirect http and https ports to 8080 and 8443, resp.
no rdr on $ext_if proto tcp from <bruteforce> to any
rdr on $ext_if proto tcp from any to any port 80 -> 127.0.0.1 port 8080
rdr on $ext_if proto tcp from any to any port 443 -> 127.0.0.1 port 8443
# Default policy
#block return in log all
#block out all
# Protect against spoofed or forget IP addresses
antispoof quick for $ext_if
# Drop all Non-Routable Addresses
block drop in quick on $ext_if from $martians to any
block drop out quick on $ext_if from any to $martians
# Protect against SSH attacks
block quick from <bruteforce>
pass quick proto { tcp, udp } from any to any port ssh \
flags S/SA keep state \
(max-src-conn 10, max-src-conn-rate 5/3, \
overload <bruteforce> flush global)
# Allow Ping
pass inet proto icmp icmp-type echoreq
# Webserver
#pass proto tcp from any to $ext_if port $webports
# Allow essential outgoing traffic
pass out quick on $ext_if proto tcp to any port $tcp_services
pass out quick on $ext_if proto udp to any port $udp_services
|