Untitled

From anonymous, 1 Month ago, written in Plain Text, viewed 21 times.
URL https://paste.codexterous.com/view/f640f9cd Embed
Download Paste or View Raw
  1. # ##############################################################################
  2. #                              Useful pf commands
  3. # ##############################################################################
  4. #
  5. #  - `pfctl -f /etc/pf.conf`
  6. #      Load new rules from pf.conf. This is an atomic load; syntax etc. is
  7. #      checked, and as long as everything is OK, the old rules are flushed and
  8. #      the new ones added.
  9. #  - `pfctl -vf /etc/pf.conf`
  10. #      As with -f, but, a verbose load that will show the full expanded ruleset
  11. #      that is being loaded. Recommended over '-f'.
  12. #  - `pfctl -s info`
  13. #      High level information about network
  14. #  - `pfctl -F all`
  15. #      Flush ruleset, effectively set 'pass all'. Rarely useful or recommended.
  16. #  - `pfctl -nf /etc/pf.conf`
  17. #      Parse and test rules, do not load them
  18. #  - `pfctl -v -nf /etc/pf.conf`
  19. #      Parse and test rule files, and output the full expanded ruleset.
  20. #  - `vmstat -z | egrep -i "(ITEM|pfstatepl)"`
  21. #      Show statistics about the pf state table. Currently does not work.
  22. #  - `pfctl -t blacklist_tor_clients -T add 123.123.123.123`
  23. #      Easily add a network or ip address to a table. Note that the changes
  24. #      would not persist.
  25. #  - `pfctl -t blacklist_tor_clients -T show`
  26. #      Show the contents of a table.
  27. #  - `pfctl -t clients -T replace -f /etc/pf.tor.ip.conf`
  28. #      Replace the contents of a table with what is in the given file.
  29. #  - `tcpdump -i pflog0 -e`
  30. #      Provided the pflog services is started (`service pflog start`), list
  31. #      everything being blocked or logged by pf.
  32. #
  33. ###############################################################################
  34. #                                General notes
  35. ###############################################################################
  36. #
  37. #  - On MAC address filtering: worthless, waste of time. Maybe explain this to
  38. #    work. It's possible to change a MAC address anyway.
  39. #  - If a service needs both TCP and UDP, use: "proto { tcp, udp }".
  40. #  - The 'quick' keyword stops processing further rules for that packet. Use if
  41. #    this is the final rule, and you want no further processing to be done on
  42. #    the packet.
  43. #  - Interesting paper on IPv6 and pf:
  44. #
  45. #    https://www.sans.org/reading-room/whitepapers/firewalls/building-ipv6-firewall-openbsd-807
  46. #
  47. #    There's much more than just IPv6 stuff in there - some general rule set
  48. #    ideas are also presented.
  49. #
  50. ###############################################################################
  51. #                                  SWITCHOVER
  52. ###############################################################################
  53. #
  54. # USEFUL SHIT:
  55. #
  56. # pfctl -v -nf /home/brett/pf_dev.conf
  57. # cp /home/brett/pf_dev.conf /etc/pf.conf && chmod 0600 /etc/pf.conf && chown root:wheel /etc/pf.conf
  58. # pfctl -f /etc/pf.conf
  59. # cp /etc/pf.conf.ORIGINAL /etc/pf.conf && chmod 0600 /etc/pf.conf && chown root:wheel /etc/pf.conf
  60. #
  61. # Check pf_dev.conf for errors, if no errors, copy it to /etc/pf.conf, set
  62. # permissions, and reload the ruleset:
  63. #
  64. # if pfctl -nf /home/brett/pf_dev.conf; then echo "";echo "Looks good!";cp /home/brett/pf_dev.conf /etc/pf.conf; chmod 0600 /etc/pf.conf; chown root:wheel /etc/pf.conf; pfctl -f /etc/pf.conf; else echo ""; echo "Looks bad!"; fi;
  65. #
  66. # Copy back:
  67. #
  68. # cp /etc/pf.conf.ORIGINAL /etc/pf.conf && chmod 0600 /etc/pf.conf && chown root:wheel /etc/pf.conf && pfctl -f /etc/pf.conf
  69. #
  70. # OBSERVATIONS:
  71. #
  72. #  - ipv6 no longer works on triton
  73. #  - Getting tons of these:
  74. #      22:37:39.814766 rule 0/0(match): block in on em0: ns544959.ip-66-70-180.net.30120 > pool-74-101-191-191.nycmny.fios.verizon.net.32414: UDP, length 1
  75. #    This should be explicitly allowed, but it's still being blocked.
  76. #  - The WiFi access point is claiming it's "down". allow from AP to all?
  77. #  - The desk phone can't get out, despite rule allowing all outbound traffic.
  78.  
  79.  
  80. ###############################################################################
  81. #                                     TODO
  82. ###############################################################################
  83. #
  84. #   * What's going on with IPv6? gif0 is our iface there, and isn't listed
  85. #     anywhere in our original configuration.
  86. #   * Things to test:
  87. #      * MiniUPNPD UPNP anchoring
  88. #   * Things to add:
  89. #      * Anchor for FTP with ftp-proxy for PASV etc
  90. #      * Block outbound mail to any mail servers aside from blessed ones
  91. #      * Route local traffic from friends to prod.groovecarinc.com over
  92. #        GrooveCar VPN
  93. #      * Various other things that I might like to have an un-changing static
  94. #        IP for. Set up a VPN on cloud.codexterous.com, allow me to connect to
  95. #        it (make it persistant and part of our catalog of external VPNs), and
  96. #        route anything that needs to be over that VPN.
  97. #      * We will definitely do IPV6 on VPNs now. Add whichever interfaces
  98. #        require IPV6 (eg. tun0) to ipv6_network_interfaces in rc.conf
  99. #      * Allow basically all traffic out from regular clients (eg. friends,
  100. #        other LAN clients), but perhaps follow a more strict default block
  101. #        policy from servers (eg. mimas, gibibyte, or perhaps VMs etc).
  102. #      * General strategy for local network: block all, DMZ for friends,
  103. #        very specific rules (eg.maybe only DNS and local HTTP by default).
  104. #
  105. ###############################################################################
  106.  
  107. #==============================================================================
  108. # -- Defines - options
  109. #==============================================================================
  110. log_all_optional = ""
  111. #log_all_optional = "log"          # Set to "log" if you want to log basically
  112.                                    # everything. Otherwise, only blocked
  113.                                    # traffic is logged.
  114.  
  115. #==============================================================================
  116. # -- Defines - interfaces
  117. #==============================================================================
  118. if_eth_lan_private        = "igb0"    # Private LAN interface
  119. if_eth_ext_wan            = "em0"     # WAN interface
  120. if_gif_ipv6               = "gif0"
  121. if_wifi_vlan_lan_guest    = "igb0.5"  # Guest WiFi VLAN
  122. if_wifi_vlan_lan_ios      = "igb0.6"  # Internet of shit VLAN
  123. if_wifi_vlan_lan_vpnuser  = "igb0.7"  # VPN-locked user VLAN
  124. if_tun_lan_vpn            = "tun0"    # Local VPN tun
  125. if_tun_ext_vpn_cyberlead  = "tun1"    # CyberLead tun
  126. if_tun_ext_vpn_ipvanish   = "tun4"    # IPVanish tun
  127. if_tun_ext_vpn_pcarmarket = "tun2"    # PCARMARKET cluster tun
  128. if_tun_ext_vpn_groovecar  = "tun3"    # GrooveCar tun
  129. if_tun_ext_vpn_clcluster  = "tun5"    # CyberLead cluster tun
  130. if_tun_ext_vpn_faftx      = "tun6"    # Fusion TX tun
  131. if_tun_ext_vpn_faffa      = "tun7"    # Fusion Farmingdale tun
  132.  
  133. # The syntax here is a bit tricky, but it's allowed and works. Macros are very
  134. # similar to `#define` in C-like languages - they're "dumb"; that's why they're
  135. # called macros and not variables.
  136. #
  137. # Macros and lists can be defined recursively, but since macros are not
  138. # expanded within quotes, quotes must be placed around the curly braces, eg.:
  139. #
  140. # my_var = "{" $other_var_1 $other_var_2 "}"
  141. #
  142. # Secondly, macros are normally read until the closing brace. But, since the
  143. # closing brace is in quotes, the interpreter doesn't know what to look for.
  144. # Therefore, newlines must also be escaped.
  145. #
  146. if_tun_ext_vpn_all        = "{" \
  147.   $if_tun_ext_vpn_cyberlead     \
  148.   $if_tun_ext_vpn_ipvanish      \
  149.   $if_tun_ext_vpn_pcarmarket    \
  150.   $if_tun_ext_vpn_groovecar     \
  151.   $if_tun_ext_vpn_clcluster     \
  152.   $if_tun_ext_vpn_faftx         \
  153.   $if_tun_ext_vpn_faffa         \
  154. "}"
  155.  
  156. #==============================================================================
  157. # -- Defines - networks
  158. #==============================================================================
  159. #
  160. # * There may be a temptation to use eg. "$if_eth_lan_private:network" instead of
  161. #   the actual subnet. That will work fine, but:
  162. #    - It can be more helpful to actually see the actual subnet.
  163. #    - This is a macro that will expand the rule set once for each network
  164. #      assigned to the interface. In the case of $if_eth_lan_private:network, which
  165. #      currently has about a dozen IPs assigned to it, it expands the rule once
  166. #      for each address, and since each address is in the same subnet, it does
  167. #      so needlessly.
  168.  
  169. net_local_lan            = "10.0.0.0/16"              # Local private LAN network
  170. net_local_ipv6           = "2001:470:1f06:132d::/128" # Local IPv6 network
  171. net_local_wifi_guest     = "10.30.0.0/16"             # Local private guest WiFi LAN network
  172. net_local_wifi_ios       = "10.40.0.0/16"             # Local private Internet of Shit WiFi LAN network
  173. net_local_wifi_vpnuser   = "10.50.0.0/16"             # Local private VPN-locked WiFi LAN network
  174. net_local_vpn            = "172.20.10.0/24"           # Local VPN private network
  175. net_ext_vpn_cyberlead_88 = "192.168.88.0/24"          # External CyberLead VPN LAN network
  176. net_ext_vpn_cyberlead_89 = "192.168.89.0/24"          # External CyberLead VPN LAN network
  177. net_ext_vpn_groovecar    = "192.168.1.0/24"           # External GrooveCar VPN LAN network
  178. net_ext_vpn_pcarmarket   = "172.17.72.0/22"           # External PCARMARKET cluster VPN LAN network
  179. net_ext_vpn_clcluster    = "10.220.121.160/27"        # External CyberLead cluster VPN LAN network
  180. net_ext_vpn_faftx        = "172.20.12.0/24"           # External Fusion TX VPN LAN network
  181. net_ext_vpn_faffa        = "172.30.12.0/24"           # External Fusion Farmingdale LAN network
  182.  
  183. # Internal networks, to be blocked on egress. In a table because our version of
  184. # pf doesn't understand "!$net_rfc_1918".
  185. table <net_rfc1918> const {
  186.   127.0.0.0/8
  187.   192.168.0.0/16
  188.   172.16.0.0/12
  189.   10.0.0.0/8
  190. }
  191.  
  192. # Table with all local networks.
  193. table <net_local_all> const {
  194.   $net_local_ipv6
  195.   $net_local_wifi_guest
  196.   $net_local_wifi_ios
  197.   $net_local_wifi_vpnuser
  198.   $net_local_vpn
  199. }
  200.  
  201. # Table with all local networks, excluding the Internet of Shit network.
  202. table <net_local_no_iot> const {
  203.   $net_local_ipv6
  204.   $net_local_wifi_guest
  205.   $net_local_wifi_vpnuser
  206.   $net_local_vpn
  207. }
  208.  
  209. # Table with local guest or IoS networks, which are sometimes filtered
  210. # separately.
  211. table <net_local_guests> const {
  212.   $net_local_wifi_guest
  213.   $net_local_wifi_ios
  214.   $net_local_wifi_vpnuser
  215. }
  216.  
  217. # Table with all internal networks.
  218. table <net_all> const {
  219.   $net_local_ipv6
  220.   $net_local_wifi_guest
  221.   $net_local_wifi_ios
  222.   $net_local_wifi_vpnuser
  223.   $net_local_vpn
  224.   $net_local_vpn
  225.   $net_ext_vpn_cyberlead_88
  226.   $net_ext_vpn_cyberlead_89
  227.   $net_ext_vpn_groovecar
  228.   $net_ext_vpn_pcarmarket
  229.   $net_ext_vpn_clcluster
  230.   $net_ext_vpn_faftx
  231.   $net_ext_vpn_faffa
  232.   $net_local_lan  
  233.   $net_local_ipv6
  234. }  
  235.  
  236. #==============================================================================
  237. # -- Defines - local IPs
  238. #==============================================================================
  239. ip_addr_local_mimas        = "{ 10.0.0.1, 2001:470:1f07:132d::1 }"      # mimas.codexterous.hq
  240. ip_addr_local_pihole       = "{ 10.0.0.4 }"                             # mimas.codexterous.hq
  241. ip_addr_local_dnsbl        = "{ 10.0.0.5, 2001:470:1f07:132d::aaaa }"   # dnsbl.codexterous.hq
  242. ip_addr_local_sickbeard    = "{ 10.0.0.6, 2001:470:1f07:132d::bbbb }"   # sickbeard.codexterous.hq
  243. ip_addr_local_sabnzbd      = "{ 10.0.0.7, 2001:470:1f07:132d::cccc }"   # sabnzbd.codexterous.hq
  244. ip_addr_local_plex         = "{ 10.0.0.8, 2001:470:1f07:132d::dddd }"   # plex.codexterous.hq
  245. ip_addr_local_tautulli     = "{ 10.0.0.9, 2001:470:1f07:132d::eeee }"   # tautulli.codexterous.hq
  246. ip_addr_local_nossl        = "{ 10.0.0.10 }"                            # nossl.codexterous.hq
  247. ip_addr_local_couchpotato  = "{ 10.0.0.12, 2001:470:1f07:132d::11bb }"  # couchpotato.codexterous.hq
  248. ip_addr_local_transmission = "{ 10.0.0.13, 2001:470:1f07:132d::11aa }"  # transmission.codexterous.hq
  249. ip_addr_local_radarr       = "{ 10.0.0.14, 2001:470:1f07:132d::11cc }"  # radarr.codexterous.hq
  250. ip_addr_local_speedtest    = "{ 10.0.0.15, 2001:470:1f07:132d::11dd }"  # speedtest.codexterous.hq
  251. ip_addr_local_sickchill    = "{ 10.0.0.16, 2001:470:1f07:132d::11ee }"  # sickchill.codexterous.hq
  252. ip_addr_local_reserved_0   = "{ 10.0.0.17 }"                            # reserved IP
  253. ip_addr_local_reserved_1   = "{ 10.0.0.18 }"                            # reserved IP
  254.  
  255. #==============================================================================
  256. # -- Defines, network devices, local
  257. #==============================================================================
  258. dev_local_mimas                 = "10.0.0.1"
  259. dev_local_pihole                = "10.0.0.4"
  260. dev_local_gibibyte              = "10.0.0.20"
  261. dev_local_triton                = "10.0.0.100"
  262. dev_local_surfacepro            = "10.0.0.160"
  263. dev_local_note10p               = "10.0.0.110"
  264. dev_local_windows_bhyve         = "10.0.100.203"
  265. dev_local_vmware_guest          = "10.0.100.204"
  266. dev_local_transmission_gibibyte = "10.0.0.201"
  267. dev_local_hdhomerun             = "10.0.100.190"
  268. dev_local_unifi                 = "10.0.20.1"
  269.  
  270. #==============================================================================
  271. # -- Defines, network devices, external
  272. #==============================================================================
  273. dev_ext_cloud_codexterous_com      = "108.61.159.57"
  274. dev_ext_cloud_codexterous_com_ipv6 = "2001:470:1f06:132d::1"
  275. dev_ext_php_codexterous_com        = "45.32.7.126"
  276. dev_ext_php_codexterous_com_ipv6   = "2001:19f0:5:355::1"
  277. dev_ext_vcs_groovecar_com          = "47.19.94.222"
  278.  
  279. #==============================================================================
  280. # -- Defines, friends and trusted things, differently behaving hosts
  281. #==============================================================================
  282. #
  283. # Comments are not allowed in macros, but they are allowed in tables, and as of
  284. # FreeBSD 9, macros are expanded into tables anyway, likely for performance
  285. # reasons:
  286. #
  287. # https://mwl.io/archives/1049
  288. #
  289.  
  290. # Local name servers that pretty much everybody will need and have access to.
  291. table <local_name_servers> const {
  292.   $dev_local_mimas  # mimas.codexterous.hq
  293.   $dev_local_pihole # pihole.codexterous.hq
  294. }
  295.  
  296. # External friends that may be given access to more privileged things, such as
  297. # SSH
  298. table <ext_friends_static> const {
  299.    $dev_ext_cloud_codexterous_com      # cloud.codexterous.com IPv4
  300.    $dev_ext_cloud_codexterous_com_ipv6 # cloud.codexterous.com IPv6
  301.    $dev_ext_php_codexterous_com        # php.codexterous.com IPv4
  302.    $dev_ext_php_codexterous_com_ipv6   # php.codexterous.com IPv6
  303.    $dev_ext_vcs_groovecar_com          # vcs.groovecar.com
  304. }
  305.  
  306. # Local friends that may be given access to things that other clients should
  307. # not have, such as NAT to external VPNs.
  308. #
  309. # NOTE: * Currently, VPN users are omitted from this. It's somewhat of a
  310. #         security concern if eg. my phone was allowed to access the remote
  311. #         VPNs, and if ICMP needed them, it's not too much trouble to just
  312. #         ssh into mimas first. If I want VPN users to have access, I could
  313. #         simply add '$net_localvpn' to this table.
  314. table <local_friends_static> const {
  315.   $dev_local_triton      # triton.codexterous.hq
  316.   $dev_local_mimas       # mimas.codexterous.hq
  317.   $dev_local_surfacepro  # surfacepro.codexterous.hq
  318.   $dev_local_note10p     # note10p.codexterous.hq
  319. }
  320.  
  321. table <local_dmz> const {
  322.   $dev_local_triton      # triton.codexterous.hq
  323.   $dev_local_mimas       # mimas.codexterous.hq
  324.   $dev_local_surfacepro  # surfacepro.codexterous.hq
  325.   $dev_local_note10p     # note10p.codexterous.hq
  326.   $dev_local_gibibyte    # gibibyte.codexterous.hq
  327.   $net_local_vpn         # local VPN network.
  328. }
  329.  
  330. table <local_vpn_hosts_static> const {
  331.   $dev_local_vmware_guest          # vmware-guest.codexterous.hq
  332.   $dev_local_windows_bhyve         # windows-bhyve.codexterous.hq
  333.   $dev_local_transmission_gibibyte # transmission.gibibyte.codexterous.hq
  334. }
  335.  
  336. #==============================================================================
  337. # -- Defines - ports, services
  338. #
  339. # * List of well-known services is available in /etc/services
  340. #==============================================================================
  341. local_tcp_services_standard = "{ www, https, 1194 }"                            # 1194 = OpenVPN
  342. local_tcp_udp_services_dhcp = "{ dhcps, dhcpc }"
  343. local_tcp_services_friends = "{ 9076 }"                                         # 9076 = SSH
  344. local_tcp_services_plex_external = "{ 32400 }"                                  # TCP Ports used on the external network for Plex
  345. local_udp_services_plex_external = "{ 32414 }"                                  # UDP Ports used on the external network for Plex
  346. local_tcp_services_plex_internal = "{ 32400, 3005, 8324, 32469 }"               # TCP Ports used on the internal network by Plex
  347. local_udp_services_plex_internal = "{ 1900, mdns, 32410, 32412, 32413, 32414 }" # UDP Ports used on the internal network by Plex
  348. local_tcp_services_ubiquiti_capportal = "{ 8880 }"                              # Ubiquiti guest captive portal, runs on mimas
  349. local_tcp_services_ubiquiti_management = "{ 8443 }"                             # Ubiquiti management console port, runs on mimas
  350. rdr_tcp_ports_gibibyte_services = "{ 2166, 21800:21999 }"                       # Gibibyte FTP on non-standard port
  351. rdr_tcp_ports_triton_services = "{ 45000:46000 }"                               # mIRC DCC
  352. rdr_udp_ports_game_gtav = "{ 6672, 61455, 61456, 61457, 61458 }"                # Game: Grand Theft Auto V
  353. rdr_udp_ports_game_arma = "{ 2302:2305 }"                                       # Game: ARMA III
  354. rdr_udp_ports_game_thecrew = "{ 3000:3003 }"                                    # Game: The Crew
  355. rdr_udp_ports_game_trialsrising = "{ 1935, 3478:3479, 3074,                    
  356.                                      3478:3479, 9103, 11030,                    
  357.                                      11035 }"                                   # Game: Trials Rising
  358.  
  359. # These are the services we allow local devices to communicate with each other
  360. # over. This is for devices outside the DMZ, so, it should be fairly limited:
  361. local_tcp_services_network = "{ www, https, netbios-ns, netbios-dgm, netbios-ssn, microsoft-ds, domain }"
  362. local_udp_services_network = "{ netbios-ns, netbios-dgm, netbios-ssn, microsoft-ds, domain }"
  363.  
  364. #==============================================================================
  365. # -- Defines, ICMP types
  366. #==============================================================================
  367. #
  368. # * For IPv4, allow echo, and unreach to allow for MTU discovery debugging. For
  369. #   IPv6, allow some additional ICMP6 diagnostics.
  370. # * We also have a group of ICMP6 types that is allowed only on the local LAN.
  371. #
  372. icmp_types_ipv4 = "{ echoreq, unreach }"                   # echo, dest unreach
  373. icmp_types_ipv6 = "{ echoreq, unreach, timex, paramprob }" # echo, dest unreach, time exceeded, parameter problem
  374. icmp_types_ipv6_local = "{ routeradv, routersol }"         # local only ICMP - router advertisement, router solicitation
  375.  
  376. #==============================================================================
  377. # -- Defines - tables, lists
  378. #==============================================================================
  379. #
  380. # * List of tor exit nodes that can reach you:
  381. #   https://check.torproject.org/torbulkexitlist?ip=74.101.191.191
  382. #
  383. # NOTE: * The "blacklist_unroutable" macro below was part of a pf configuration
  384. #         provided years ago by A-Team. It seems there's nothing special about
  385. #         192.168.254.254, and, it may have been causing some issues. Unless I
  386. #         can find clear information about that address, don't block it.
  387. #
  388. table <blacklist_tor_clients> persist file "/etc/pf.tor.ip.conf"
  389. table <blacklist_unroutable> const {
  390.   192.168.254.254/32
  391. }
  392.  
  393. # Known bad people from other stuff etc. Initial entries haven't necessarily
  394. # been a problem locally, but it helps to have a starter list.
  395. table <blacklist_bad_boys> const {
  396.   165.225.222.175/32
  397.   165.225.34.85/32
  398.   46.229.173.0/24
  399. }
  400.  
  401. #==============================================================================
  402. # -- Limits/Vars
  403. #==============================================================================
  404. #
  405. # * Without this 10x increase the pf state table max is reached resulting in
  406. #   major problems and "Operation not permitted" for outgoing connections.
  407. #
  408. #   Check with: vmstat -z | egrep -i "(ITEM|pfstatepl)"
  409. # * This could probably alternatively be resolved by smarter rules on whatever
  410. #   was causing the state table to overflow. For example, don't use "keep
  411. #   state" where it isn't necessary to do so, such as on HTTP connections.
  412. #
  413. set limit states 1000000
  414.  
  415. #==============================================================================
  416. # -- NAT
  417. #==============================================================================
  418. #
  419. # NOTE: * The parenthesis around "($if_eth_ext_wan)" indicate that the IP address
  420. #         of the interface is dynamically assigned.
  421. #       * We are using a pre-OpenBSD 4.7 pf firewall, hence "nat on". Newer
  422. #         versions would use "match out on ... nat-to ...".
  423. #       * These rules essentially mean "translate the local IP to the external
  424. #         IP".
  425. #       * Since we are doing block differently, we may need to explicitly allow
  426. #         the traffic.
  427. #       * `nat on ... -> ($if_eth_ext_wan)` translates to `nat on ... -> (em0)
  428. #         round-robin`. That probably would work fine, since there's generally
  429. #         only one address assigned so it's not actually going to round-robin,
  430. #         but it is better to be explicit.
  431. #
  432. # * NAT on applicable local LANs.
  433. nat on $if_eth_ext_wan from $net_local_lan to any -> ($if_eth_ext_wan:0)
  434. nat on $if_eth_ext_wan from $net_local_wifi_guest to any -> ($if_eth_ext_wan:0)
  435. nat on $if_eth_ext_wan from $net_local_wifi_ios to any -> ($if_eth_ext_wan:0)
  436. nat on $if_eth_ext_wan from $net_local_wifi_vpnuser to any -> ($if_eth_ext_wan:0)
  437.  
  438. # * NAT for friends only to external VPN LANs
  439. nat on $if_tun_ext_vpn_groovecar  from <local_friends_static> to $net_ext_vpn_groovecar    -> ($if_tun_ext_vpn_groovecar:0)
  440. nat on $if_tun_ext_vpn_faftx      from <local_friends_static> to $net_ext_vpn_faftx        -> ($if_tun_ext_vpn_faftx:0)
  441. nat on $if_tun_ext_vpn_faffa      from <local_friends_static> to $net_ext_vpn_faffa        -> ($if_tun_ext_vpn_faffa:0)
  442. nat on $if_tun_ext_vpn_pcarmarket from <local_friends_static> to $net_ext_vpn_pcarmarket   -> ($if_tun_ext_vpn_pcarmarket:0)
  443. nat on $if_tun_ext_vpn_clcluster  from <local_friends_static> to $net_ext_vpn_clcluster    -> ($if_tun_ext_vpn_clcluster:0)
  444. nat on $if_tun_ext_vpn_cyberlead  from <local_friends_static> to $net_ext_vpn_cyberlead_88 -> ($if_tun_ext_vpn_cyberlead:0)
  445. nat on $if_tun_ext_vpn_cyberlead  from <local_friends_static> to $net_ext_vpn_cyberlead_89 -> ($if_tun_ext_vpn_cyberlead:0)
  446.  
  447. # * NAT on our local VPN so that users can use us as a gateway (eg. "privacy VPN").
  448. nat on $if_eth_ext_wan from $net_local_vpn to any -> ($if_eth_ext_wan:0)
  449.  
  450. #==============================================================================
  451. # -- Redirection, ports
  452. #==============================================================================
  453. #
  454. # NOTE: * Should this be "from any to any" or can we get more specific?
  455. rdr pass on $if_eth_ext_wan proto tcp from any to any port \
  456.     $rdr_tcp_ports_gibibyte_services -> $dev_local_gibibyte
  457. rdr pass on $if_eth_ext_wan proto tcp from any to any port \
  458.     $rdr_tcp_ports_triton_services -> $dev_local_triton
  459. rdr pass on $if_eth_ext_wan proto udp from any to any port \
  460.     $rdr_udp_ports_game_gtav -> $dev_local_triton
  461. rdr pass on $if_eth_ext_wan proto udp from any to any port \
  462.     $rdr_udp_ports_game_arma -> $dev_local_triton
  463. rdr pass on $if_eth_ext_wan proto udp from any to any port \
  464.     $rdr_udp_ports_game_thecrew -> $dev_local_triton
  465. rdr pass on $if_eth_ext_wan proto udp from any to any port \
  466.     $rdr_udp_ports_game_trialsrising -> $dev_local_triton
  467.  
  468. #==============================================================================
  469. # -- Redirection, anchors
  470. #==============================================================================
  471. #
  472. # NOTE: * An anchor basically just means that an external program keeps track
  473. #         of rules.
  474. #       * pre-OpenBSD 4.7 needs both "nat-anchor" and "rdr-anchor".
  475. #       * BoPF suggests to use eg. "miniupnpd/*", but in practice, looking at
  476. #         the full expanded ruleset that is generated, it's understood as eg.
  477. #         `net-anchor "/*" all`, which may not be what we want. The
  478. #         pkg-description file for miniupnpd says to use just "miniupnpd".
  479. nat-anchor "miniupnpd"
  480. rdr-anchor "miniupnpd"
  481.  
  482. #==============================================================================
  483. # -- Skip interfaces
  484. #==============================================================================
  485. #
  486. # NOTE: * Resist the temptation to use this. Just about the only thing it
  487. #         should be used on is lo0.
  488. #       * Do not 'set skip' on external VPN interfaces. If you do, you will not
  489. #         be able to NAT on them. This is what broke VPN NATing for years until
  490. #         I figured it out.
  491. #
  492. set skip on lo0
  493.  
  494. #==============================================================================
  495. # -- Basic rules
  496. #==============================================================================
  497. #
  498. # * Block everything by default.
  499. # * Block log quick (no exceptions!) everything from any blacklists.
  500. # * Let everything out
  501. #
  502. # NOTE: * Previously we used "block log in all", but the 'all' keyword is
  503. #         implied and no longer necessary. Also we now default to "block
  504. #         all" - the direction isn't specified, everything is blocked by
  505. #         default.
  506. #       * "all" and "keep state" are both optional and implied since OpenBSD
  507. #         4.1. "keep state flags S/SA" ensures that only initial SYN packets
  508. #         during connection setup create state, which can eliminate some
  509. #         puzzling error scenarios. Ergo, "flags S/SA" is related to the
  510. #         "keep state" portion.
  511. #       * Perhaps a better version would be to somewhat selectively define
  512. #         interfaces that are allowed to get out, eg.:
  513. #
  514. #         pass from { self, $net_local_lan } to any keep state
  515. #       * Regarding logging:
  516. #
  517. #         https://www.openbsd.org/faq/pf/logging.html
  518. #
  519. #         Logs work such that where a rule is creating state, only the first
  520. #         packet seen (ie. the one that causes the state to be created) will
  521. #         be logged. Theoretically, since our 'block log all' and subsequent
  522. #         'block in log quick' don't keep state, the later rules should be
  523. #         the logged matching block rules.
  524. # TODO: * Evaluate 'pass out log all'. Do I really want to do it? It is much
  525. #         better to selectively allow outbound, but, that is obviously a pain
  526. #         in the ass to manage.
  527. #       * Perhaps outbound from clients (eg. non-servers) should be fully
  528. #         allowed, but more finely tuned things like servers should be much
  529. #         more selectively allowed.
  530. #       * Any benefit to having all of the 'quick' stuff before the initial
  531. #         'block log all' rule? Will I get more specificiy in logging? As of
  532. #         now, I feel that I'd wind up getting logs that just point to that
  533. #         first master rule.
  534. #       * Test the above assumption about logging. Do this by creating a
  535. #         'block out log quick' to some arbitrary IP address, and use pflog
  536. #         to see which rule matches. If it's the first 'block log all' rule,
  537. #         the other 'block log quick' rules will need to be moved above
  538. #         the 'block log all' rule.
  539. #
  540. block log all                                                         # -- Block everything by default
  541. block in log quick inet from <blacklist_tor> to any                   # -- Block anybody in our tor exit node table
  542. block in log quick inet from <blacklist_bad_boys> to any              # -- Block any known bad people
  543. block in log quick on $if_eth_ext_wan inet from <net_rfc1918> to any  # -- On the external interface, block RFC1918 traffic that shouldn't be on the internet
  544. block out log quick on $if_eth_ext_wan inet from any to <net_rfc1918> # -- On the external interface, block outbound RFC1918 traffic
  545. pass out $log_all_optional all keep state flags S/SA                  # -- Everything outbound is fine - for now.
  546. #pass out $log_all_optional inet6 keep state flags S/SA               # -- DINDONUFFIN
  547.  
  548. # For purposes of NATing and Internet, allow all inbound traffic that is
  549. # destined for anything that isn't local.
  550. pass in $log_all_optional on $if_eth_lan_private inet from any to !<net_rfc1918> keep state
  551. pass in $log_all_optional on $if_eth_lan_private inet6 from any to !$net_local_ipv6 keep state
  552.  
  553. #pass $log_all_optional inet proto icmp icmp-type $icmp_types_ipv4
  554.  
  555.  
  556. # Testing IPv6 - if this works, it would mean that the entire IPv6 network has
  557. # no firewall.
  558. #pass on $if_gif_ipv6  # DINDONUFFIN
  559. pass quick on $if_eth_lan_private inet6 from any to any
  560.  
  561. # Complete DMZ for some local devices.
  562. pass $log_all_optional on $if_eth_lan_private from <local_dmz> to any
  563.  
  564. # Allow the Unifi AP to communicate with Mimas for the controller software.
  565. pass in on $if_eth_lan_private from $dev_local_unifi to $ip_addr_local_mimas
  566.  
  567. # For other devices on the regular local LAN, just be a litte selective about
  568. # what we allow. We'll get much tighter for guest networks.
  569. pass $log_all_optional on $if_eth_lan_private proto tcp from $net_local_lan to $net_local_lan port $local_tcp_services_network keep state
  570. pass $log_all_optional on $if_eth_lan_private proto udp from $net_local_lan to $net_local_lan port $local_udp_services_network keep state
  571.  
  572. # Also allow the regular local LAN access to everything on the IoT and guest
  573. # networks. We don't allow this backwards, though.
  574. pass $log_all_optional on $if_eth_lan_private from $net_local_lan to <net_local_guests> keep state
  575.  
  576. # I want to have all local devices get access to the HDHomeRun, but it doesn't
  577. # have a well-defined list of ports. Just allow the whole LAN to access it
  578. # fully.
  579. pass $log_all_optional on $if_eth_lan_private from $net_local_lan to $dev_local_hdhomerun
  580.  
  581. # Allow dns and dhcp through in all cases from all local networks.
  582. pass in $log_all_optional on $if_eth_lan_private proto { tcp, udp } from <net_local_all> to <local_name_servers> port domain keep state
  583. pass in $log_all_optional on $if_eth_lan_private proto { tcp, udp } from any to $ip_addr_local_mimas port $local_tcp_udp_services_dhcp keep state
  584.  
  585. # Allow local Plex ports from regular local network and guest WiFi network (but not IoT network).
  586. pass $log_all_optional on $if_eth_lan_private proto tcp from <net_local_no_iot> to $ip_addr_local_mimas port $local_tcp_services_plex_internal keep state
  587. pass $log_all_optional on $if_eth_lan_private proto tcp from <net_local_no_iot> to $ip_addr_local_mimas port $local_udp_services_plex_internal keep state
  588.  
  589. # Also allow all networks to reach the dnsbl error page.
  590. pass in $log_all_optional on $if_eth_lan_private proto { tcp, udp } from <net_local_all> to $ip_addr_local_dnsbl port { www, https } keep state
  591.  
  592. # Allow the guest network to access the Ubiquiti captive portal.
  593. pass in $log_all_optional on $if_eth_lan_private proto tcp from $net_local_wifi_guest to $ip_addr_local_mimas port $local_tcp_services_ubiquiti_capportal
  594.  
  595. #==============================================================================
  596. # -- External VPNs
  597. #==============================================================================
  598. #
  599. # TODO: * Is this even necessary?
  600. #
  601. pass $log_all_optional on $if_tun_ext_vpn_all keep state
  602.  
  603. #==============================================================================
  604. # -- Redirection, interfaces and networks
  605. #==============================================================================
  606.  
  607. # * Redirect some internal devices and networks over other networks
  608. pass in $log_all_optional on $if_eth_lan_private route-to $if_tun_ext_vpn_ipvanish inet \
  609.     proto { tcp, udp } from <local_vpn_hosts_static> to any \
  610.     flags S/SA keep state
  611.  
  612. # * Route VPN WiFi over IPVanish VPN interface
  613. pass in $log_all_optional on $if_wifi_vlan_lan_vpnuser route-to $if_tun_ext_vpn_ipvanish inet \
  614.     proto { tcp, udp } from $net_local_wifi_vpnuser to any \
  615.     flags S/SA keep state
  616.  
  617. #==============================================================================
  618. # -- ICMP
  619. #==============================================================================
  620. #
  621. # * Allow echo, and all out the default range for traceroute(8):
  622. #   "base+nhops*nqueries-1" (33434+64*3-1)
  623. # * The traceroute rules are unnecessary for Windows clients, where tracert.exe
  624. #   and sister IPv6 tracert6.exe use ICMP echo requests for traceroute.
  625. # * We also allow certain types of ICMPv6 traffic locally, but not externally.
  626. #
  627. # NOTE: * A necessary evil. The stated original purpose of ICMP is to greatly
  628. #         help with network debugging. Some people are scared of it, but
  629. #         concerns about various vulnerabilities (eg. "ping of death") haven't
  630. #         been valid since the 90s. That said, we can still be a little
  631. #         selective about what we allos.
  632. #
  633. pass $log_all_optional inet proto icmp icmp-type $icmp_types_ipv4
  634. pass $log_all_optional inet6 proto icmp6 icmp6-type $icmp_types_ipv6
  635.  
  636. # TODO: Is this correct? Am I supposed to pass on the interface, the ipv4
  637. #       network, the ipv6 network, or all three? Not sure. It should be
  638. #       obvious if this isn't working -
  639. pass $log_all_optional on $if_eth_lan_private inet6 proto icmp6 icmp6-type $icmp_types_ipv6_local
  640.  
  641. # NOTE: This is unnecessary, as we pass out all.
  642. #pass out $log_all_optional on $if_eth_ext_wan inet proto udp to port 33433:33626  # for IPv4 traceroute
  643. #pass out $log_all_optional on $if_eth_ext_wan inet6 proto udp to port 33433:33626 # for IPv6 traceroute
  644.  
  645. #==============================================================================
  646. # -- Local Services (this machine)
  647. #==============================================================================
  648. #
  649. pass in $log_all_optional quick on $if_eth_ext_wan proto tcp from <ext_friends_static> to $ip_addr_local_mimas port $local_tcp_services_friends
  650. pass in $log_all_optional quick on $if_eth_ext_wan proto tcp from any to $ip_addr_local_mimas port $local_tcp_services_standard
  651. pass in $log_all_optional quick on $if_eth_ext_wan proto tcp from any to $ip_addr_local_mimas port $local_tcp_services_plex_external
  652. pass in $log_all_optional quick on $if_eth_ext_wan proto udp from any to $ip_addr_local_mimas port $local_udp_services_plex_external
  653.  
  654.  

Reply to "Untitled"

Here you can reply to the paste above