diff options
| author | Charlie Root <root@jozanofastora.xyz> | 2022-04-27 14:02:54 +0000 |
|---|---|---|
| committer | Charlie Root <root@jozanofastora.xyz> | 2022-04-27 14:02:54 +0000 |
| commit | 96d51c38abc47fc5ea5dee0949f5fc0323b31026 (patch) | |
| tree | 15c5266908f61ed9a7e1e621f83ff65c431eee46 /usr/local/etc/pf.conf | |
| download | joe-conf-96d51c38abc47fc5ea5dee0949f5fc0323b31026.tar.gz joe-conf-96d51c38abc47fc5ea5dee0949f5fc0323b31026.tar.bz2 joe-conf-96d51c38abc47fc5ea5dee0949f5fc0323b31026.tar.xz joe-conf-96d51c38abc47fc5ea5dee0949f5fc0323b31026.tar.zst joe-conf-96d51c38abc47fc5ea5dee0949f5fc0323b31026.zip | |
First commit
Diffstat (limited to 'usr/local/etc/pf.conf')
| -rw-r--r-- | usr/local/etc/pf.conf | 60 |
1 files changed, 60 insertions, 0 deletions
diff --git a/usr/local/etc/pf.conf b/usr/local/etc/pf.conf new file mode 100644 index 0000000..1838656 --- /dev/null +++ b/usr/local/etc/pf.conf @@ -0,0 +1,60 @@ +## Set public interface ## +ext_if="vtnet0" + +## set and drop IP ranges on the public interface ## +martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \ + 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \ + 0.0.0.0/8, 240.0.0.0/4 }" + +table <spamd> persist +table <spamd-allow> persist + +# Allowed webmail services +table <webmail> persist file "/usr/local/etc/pf.webmail.ip.conf" + +## Skip loop back interface - Skip all PF processing on interface ## +set skip on lo + +## Sets the interface for which PF should gather statistics such as bytes in/out and packets passed/blocked ## +set loginterface $ext_if + +# Deal with attacks based on incorrect handling of packet fragments +scrub in all + + +# Pass spamd allow list +pass quick log on $ext_if inet proto tcp from <spamd-allow> to $ext_if port smtp \ + -> 127.0.0.1 port 25 +# Pass webmail servers +rdr pass quick log on $ext_if inet proto tcp from <gmail> to $ext_if port smtp \ + -> 127.0.0.1 port 25 +# pass submission messages. +pass quick log on $ext_if inet proto tcp from any to $ext_if port submission modulate state +# Pass unknown mail to spamd +rdr pass log on $ext_if inet proto tcp from {!<spamd-allow> <spamd>} to $ext_if port smtp \ + -> 127.0.0.1 port 8025 + +## Blocking spoofed packets +antispoof quick for $ext_if + +## Set default policy ## +block return in log all +block out all + +# Drop all Non-Routable Addresses +block drop in quick on $ext_if from $martians to any +block drop out quick on $ext_if from any to $martians + +pass in inet proto tcp to $ext_if port ssh + +# Allow Ping-Pong stuff. Be a good sysadmin +pass inet proto icmp icmp-type echoreq + +# Open up imap/pop3 support +pass quick on $ext_if proto tcp from any to any port {imap, imaps, pop3, pop3s} modulate state + + +# Allow outgoing traffic +pass out on $ext_if proto tcp from any to any modulate state +pass out on $ext_if proto udp from any to any keep state +pass quick on $ext_if from any to any port http |