summaryrefslogtreecommitdiffstats
path: root/usr/local/etc/pf.conf
diff options
context:
space:
mode:
authorJoeServ <bousset.rudy@gmail.com>2023-02-27 15:41:41 +0100
committerJoeServ <bousset.rudy@gmail.com>2023-02-27 15:41:41 +0100
commit9208846b5747abcd08792605511a1dd1ab457ccf (patch)
tree4a4ca4dc60f12272c864a230f2f18519fd607ecf /usr/local/etc/pf.conf
parentupdate (diff)
downloadjoe-conf-9208846b5747abcd08792605511a1dd1ab457ccf.tar.gz
joe-conf-9208846b5747abcd08792605511a1dd1ab457ccf.tar.bz2
joe-conf-9208846b5747abcd08792605511a1dd1ab457ccf.tar.xz
joe-conf-9208846b5747abcd08792605511a1dd1ab457ccf.tar.zst
joe-conf-9208846b5747abcd08792605511a1dd1ab457ccf.zip
Jail rework
Diffstat (limited to 'usr/local/etc/pf.conf')
-rw-r--r--usr/local/etc/pf.conf60
1 files changed, 0 insertions, 60 deletions
diff --git a/usr/local/etc/pf.conf b/usr/local/etc/pf.conf
deleted file mode 100644
index c514fe8..0000000
--- a/usr/local/etc/pf.conf
+++ /dev/null
@@ -1,60 +0,0 @@
-## Set public interface ##
-ext_if="vtnet0"
-
-## set and drop IP ranges on the public interface ##
-martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
- 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
- 0.0.0.0/8, 240.0.0.0/4 }"
-
-table <spamd> persist
-table <spamd-allow> persist
-
-# Allowed webmail services
-#table <webmail> persist file "/usr/local/etc/pf.webmail.ip.conf"
-
-## Skip loop back interface - Skip all PF processing on interface ##
-set skip on lo
-
-## Sets the interface for which PF should gather statistics such as bytes in/out and packets passed/blocked ##
-set loginterface $ext_if
-
-# Deal with attacks based on incorrect handling of packet fragments
-scrub in all
-
-
-# Pass spamd allow list
-rdr pass log on $ext_if inet proto tcp from <spamd-allow> to $ext_if port smtp \
- -> 127.0.0.1 port 25
-# Pass webmail servers
-rdr pass log on $ext_if inet proto tcp from <gmail> to $ext_if port smtp \
- -> 127.0.0.1 port 25
-# pass submission messages.
-pass quick log on $ext_if inet proto tcp from any to $ext_if port submission modulate state
-# Pass unknown mail to spamd
-rdr pass log on $ext_if inet proto tcp from {!<spamd-allow> <spamd>} to $ext_if port smtp \
- -> 127.0.0.1 port 8025
-
-## Blocking spoofed packets
-antispoof quick for $ext_if
-
-## Set default policy ##
-block return in log all
-block out all
-
-# Drop all Non-Routable Addresses
-block drop in quick on $ext_if from $martians to any
-block drop out quick on $ext_if from any to $martians
-
-pass in inet proto tcp to $ext_if port ssh
-
-# Allow Ping-Pong stuff. Be a good sysadmin
-pass inet proto icmp icmp-type echoreq
-
-# Open up imap/pop3 support
-pass quick on $ext_if proto tcp from any to any port {imap, imaps, pop3, pop3s} modulate state
-
-
-# Allow outgoing traffic
-pass out on $ext_if proto tcp from any to any modulate state
-pass out on $ext_if proto udp from any to any keep state
-#pass quick on $ext_if from any to any port http