sjw
/
pfatt
mirror of https://github.com/MonkWho/pfatt.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

adding directories

This commit is contained in:
Reed McIntosh 2021-04-20 00:43:13 -04:00
parent 24447b64f9
commit a17fd5ddb5
No known key found for this signature in database
GPG Key ID: 1B054509B676DE56
1 changed files with 51 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
1 Normal file
View File

@ -0,0 +1,51 @@
wan = "ngeth0"
lan = "xxx"
#options
set skip on lo0
set block-policy drop
set fingerprints "/etc/pf.os"
set ruleset-optimization basic
set optimization normal
set limit { states 1624000, src-nodes 1624000, frags 5000, table-entries 400000 }
#scrub
scrub on $wan all random-id fragment reassemble
scrub on $lan all random-id fragment reassemble
#NAT
nat on $wan inet from ! ($wan) to any -> ($wan)
#Filter
#default deny
block drop in inet all label "Default deny rule IPv4"
block drop out inet all label "Default deny rule IPv4"
block drop in inet6 all label "Default deny rule IPv6"
block drop out inet6 all label "Default deny rule IPv6"
#allow dhcp/dhcpv6 client
pass in quick on $wan proto udp from any port = bootps to any port = bootpc keep state label "allow dhcp client out WAN"
pass out quick on $wan proto udp from any port = bootpc to any port = bootps keep state label "allow dhcp client out WAN"
pass in quick on $wan inet6 proto udp from fe80::/10 port = dhcpv6-client to fe80::/10 port = dhcpv6-client keep state label "allow dhcpv6 client in WAN"
pass in quick on $wan proto udp from any port = dhcpv6-server to any port = dhcpv6-client keep state label "allow dhcpv6 client in WAN"
pass out quick on $wan proto udp from any port = dhcpv6-client to any port = dhcpv6-server keep state label "allow dhcpv6 client out WAN"
#allow dhcp/dhcpv6 server
pass in quick on $lan inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
pass in quick on $lan inet proto udp from any port = bootpc to ($lan) port = bootps keep state label "allow access to DHCP server"
pass out quick on $lan inet proto udp from ($lan) port = bootps to any port = bootpc keep state label "allow access to DHCP server"
pass quick on $lan inet6 proto udp from fe80::/10 to fe80::/10 port = dhcpv6-client keep state label "allow access to DHCPv6 server"
pass quick on $lan inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-client keep state label "allow access to DHCPv6 server"
pass quick on $lan inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-server keep state label "allow access to DHCPv6 server"
pass quick on $lan inet6 proto udp from ff02::/16 to fe80::/10 port = dhcpv6-server keep state label "allow access to DHCPv6 server"
pass in quick on $lan inet6 proto udp from fe80::/10 to ($lan) port = dhcpv6-client keep state label "allow access to DHCPv6 server"
pass out quick on $lan inet6 proto udp from ($lan) port = dhcpv6-server to fe80::/10 keep state label "allow access to DHCPv6 server"
#allow self
pass out inet all flags S/SA keep state allow-opts label "let out anything IPv4 from firewall host itself"
pass out inet6 all flags S/SA keep state allow-opts label "let out anything IPv6 from firewall host itself"