Pf

PF Basics

Basic Ruleset

  • Full Connectifity v4/v6
  • allow SSH in from RFC1918
  • allow all outgoing
# Backup
cp /etc/pf.conf /etc/pf.conf.bak-$(date "+%s")

# Paste new Ruleset
cat << 'EOF' > /etc/pf.conf

#######################################################################################################################
#
# OpenBSD PF Template
#
#######################################################################################################################

########################
### DEFAULT SETTINGS ###
########################

set block-policy drop
set limit states 100000
set limit table-entries 1000000
set optimization normal
set ruleset-optimization none
set skip on { lo0 enc0  }
set syncookies adaptive (start 25%, end 12%)


########################
### MACROS           ###
########################

# log block
lb  = "log"

# log pass
lp  = "log"


########################
### NORMALIZATION    ###
########################

match inet  scrub (no-df max-mss 1380)
match inet6 scrub (max-mss 1360)


########################
### Block all / uRPF ###
########################

block     log
block in  log quick from urpf-failed label uRPF


############################
### DHCP & IPv6 Stuff    ###
############################

# Allow DHCP
pass      $lp quick inet  proto udp       from  any     port 68   to 255.255.255.255  port 67
pass      $lp quick inet  proto udp       from  any     port 68   to (self)           port 67
pass      $lp quick inet  proto udp       from  (self)  port 67   to any              port 68

# In
pass in   $lp quick inet6 proto ipv6-icmp all                           icmp6-type { unreach toobig neighbrsol neighbradv } keep state

# Out
pass out  $lp quick inet6 proto ipv6-icmp from (self)     to fe80::/10  icmp6-type { echoreq echorep neighbradv neighbrsol routeradv routersol } keep state
pass out  $lp quick inet6 proto ipv6-icmp from (self)     to ff02::/16  icmp6-type { echoreq echorep neighbradv neighbrsol routeradv routersol } keep state

# In
pass in   $lp quick inet6 proto ipv6-icmp from fe80::/10  to fe80::/10  icmp6-type { echoreq neighbradv neighbrsol routeradv routersol } keep state
pass in   $lp quick inet6 proto ipv6-icmp from fe80::/10  to ff02::/16  icmp6-type { echoreq neighbradv neighbrsol routeradv routersol } keep state
pass in   $lp quick inet6 proto ipv6-icmp from ff02::/16  to fe80::/10  icmp6-type { echoreq neighbradv neighbrsol routeradv routersol } keep state
pass in   $lp quick inet6 proto ipv6-icmp from ::         to ff02::/16  icmp6-type { echoreq neighbradv neighbrsol routeradv routersol } keep state


############################
### MyTrust for Hosts    ###
############################

# Allow RFC1918
pass in   $lp quick inet  proto tcp   from { 10/8 172.16/12 192.168/16 }             to (self) port 22

# Allow all Out
pass out  $lp quick


#######################################################################################################################
# End
#######################################################################################################################
EOF

# check & reload
pfctl -nf /etc/pf.confad && pfctl -f /etc/pf.conf

Any Comments ?

sha256: e41b3f0d6bbb5edf23921f2f8bdc7fc83b9ed8676d7e3e62b746af25aae2f30c