# VectorStar pf.conf # 12/30/04 ##### ## Configuration Options # IF_WAN = "hme0" IF_PUBIP = "bridge0" IF_LAN = "hme1" IF_PRIV = "hme2" IF_PARENTS = "le0" # Server restrictions S_ALL = "207.90.2.0/28" S_FTP = "207.90.2.6/32" S_SHELL = "207.90.2.5/30" #S_SHELL = "207.90.2.0/28" S_MAIL = "207.90.2.5/32" S_DNS = "207.90.2.2/31" S_WEB = "207.90.2.0/28" # Really just .5 and .6, but that could change # Shortcut arguments FLAGS = "flags S/SA" STATE = "keep state" ##### ## Main defaults set optimization aggressive scrub in all # Bandwidth/QoS specifications # Higher priority number = higher real priority altq on hme0 cbq bandwidth 384Kb queue { std, http, mail, ftp, ssh, dns, thepalace } queue std bandwidth 100% cbq(default) queue http bandwidth 90% priority 4 queue mail bandwidth 90% priority 3 queue ssh bandwidth 20% priority 7 queue ftp bandwidth 90% priority 2 queue dns bandwidth 10% priority 7 queue thepalace bandwidth 33% priority 6 # Loopback defaults pass in quick on lo0 all pass out quick on lo0 all # WAN defaults pass out quick on $IF_WAN all $STATE #block in on $IF_WAN all # PUBIP (bridge) defaults #pass in quick on $IF_PUBIP all #pass out quick on $IF_PUBIP all # LAN defaults # ident: don/t let our servers request ident on outside people #block return-rst in quick on $IF_LAN proto tcp from {$S_ALL,10.10.10.0/24} to any port auth pass out quick on $IF_LAN all pass in quick on $IF_LAN all #$STATE # Private LAN port settings pass in quick on $IF_PRIV all pass out quick on $IF_PRIV all # Parents' Network settings pass in quick on $IF_PARENTS all pass out quick on $IF_PARENTS all ##### ## Section 1: All Servers # # block LAN spoofing attempts. #block out quick on $IF_LAN proto {tcp,udp,icmp} from $S_ALL to any # ICMP (all icmp messages) # pf doesn't like the flags pass in quick on $IF_WAN proto icmp from any to $S_ALL $STATE pass in quick on $IF_WAN proto icmp from any to $S_ALL icmp-type {3,11} $STATE # HTTP pass in quick on $IF_WAN proto {tcp,udp} from any to $S_WEB port {80,443} $FLAGS queue http ##### ## Section 2: Simple server-specific # # Section 2.1: FTP Server # no S/SA here pass in quick on $IF_WAN proto tcp from any to $S_FTP port {21,20} queue ftp # Passive Ports >65000 must be configured in FTP daemon as well. pass in quick on $IF_WAN proto tcp from any to $S_FTP port > 65000 $FLAGS $STATE queue ftp # Section 2.2: DNS pass in quick on $IF_WAN proto {tcp,udp} from any to $S_DNS port 53 $FLAGS queue dns # Section 2.3: Shell Server # SSH - must keep state pass in quick on $IF_WAN proto {tcp,udp} from any to $S_SHELL port 22 $FLAGS $STATE queue ssh # Telnet pass in quick on $IF_WAN proto {tcp,udp} from any to $S_SHELL port 23 $FLAGS $STATE queue ssh # Section 2.4: Mail Server # SMTP pass in quick on $IF_WAN proto {tcp,udp} from any to $S_MAIL port {25,465} $FLAGS $STATE queue mail # POP3 pass in quick on $IF_WAN proto {tcp,udp} from any to $S_MAIL port {110,995} $FLAGS $STATE queue mail # IMAP pass in quick on $IF_WAN proto {tcp,udp} from any to $S_MAIL port {143,993} $FLAGS $STATE queue mail # Section 2.5: ThePalace (IRC) Server # Port 9998 pass in quick on $IF_WAN proto {tcp,udp} from any to $S_ALL port 9998 $FLAGS queue thepalace # SNMP for nextwind to monitor us - DEPRECATED #pass in quick on $IF_WAN proto {tcp,udp} from 64.58.213.0/24 to $S_ALL port 161 $FLAGS ##### ## End of file. #