Difference between revisions of "OpenBSD Firewall / PF"

From Hackerspace ACKspace
Jump to: navigation, search
m (added category)
 
(19 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 
{{Project
 
{{Project
|State=Active
+
|State=Completed
|Members=Antarez, Vicarious
+
|Members=Vicarious, PsychiC
 
|Description=building a gateway on openbsd
 
|Description=building a gateway on openbsd
}}  
+
}}
In this talk we will be building a highly available firewalling gateway. It is not a lecture or talk, it's a hands-on workshop.  
+
I have dumped the entire config so others can use this as template for their own PF setup or to shout OMGWTFBBQ u freakin' n00b you should do it like XYZ.
  
how to play:
+
In the latter case either drop me an e-mail (psychic [monkeytailthingie] ackspace [lowerroundthingie] nl , join ACKspace and help out or simply STFU =D
  
*Log into the wireless network "antareztest"
 
*SSH to the gateway in that lan (192.168.1.254 or 192.168.1.252)
 
*Login as "root" password "bier"
 
*use "tmux a" to attach to the shared session
 
*break things, discuss, fix things
 
  
 +
 +
== MEUK ==
 +
Meer devices maken anders breekt DHCP enzo.... gewoon genoeg aanmaken, hier worden er 20 extra bijgemaakt.
 +
 +
`cd /dev;for i in {10..30}; do ./MAKEDEV bpf$i ; done`
 +
 +
 +
Pad toevoegen om packages te downen
 +
 +
export PKG_PATH=http://ftp.bit.nl/mirror/OpenBSD/5.0/packages/i386/
 +
 +
zet in  ~/.profile
 +
 +
 +
/etc/mygate is default gateway
 +
 +
 +
 +
 +
RULESDUMP 26-November-2102
 +
Namen etc verwijderd :)
 +
 +
GW2 (GW1 = RIP)
  
 
<pre>
 
<pre>
 +
# PF Rules ACKspace gateway 2
  
# PF Rules ACKspace gateway 2
 
  
### Macros ###
+
############################
 +
### Macros / Definitions ###
 +
############################
 +
 
 +
## Interfaces ##
 +
 
 +
# WAN interface
 
ext_if = "fxp0"
 
ext_if = "fxp0"
int_if = "{ fxp1 vlan10 vlan11 vlan12 vlan13 vlan14 vlan15 vlan16 vlan17 vlan18 vlan19 vlan20 vlan21 vlan22 vlan23 vlan24 vlan25 vlan26 vlan27 vlan28 vlan29 vlan30 vlan31 vlan32 vlan33 vlan34 vlan35 vlan36 vlan37 vlan38 vlan39 vlan40 vlan41 vlan42 vlan43 vlan44 vlan45 vlan46 vlan47 vlan48 vlan49 vlan50 vlan51 vlan52 vlan53 vlan54 vlan55 vlan56 vlan57 }"
+
 
 +
# LAN interface
 +
int_if = "fxp1"
 +
 
 +
# VLAN interfaces (VLAN30 + VLAN33 Excluded)
 +
vlan_if = "{ \
 +
vlan10 vlan11 vlan12 vlan13 vlan14 vlan15 vlan16 vlan17 vlan18 vlan19 \
 +
vlan20 vlan21 vlan22 vlan23 vlan24 vlan25 vlan26 vlan27 vlan28 vlan29 \
 +
vlan31 vlan32 vlan34 vlan35 vlan36 vlan37 vlan38 vlan39 \
 +
vlan40 vlan41 vlan42 vlan43 vlan44 vlan45 vlan46 vlan47 vlan48 vlan49 \
 +
vlan50 vlan51 vlan52 vlan53 vlan54 vlan55 vlan56 vlan57}"
 +
 
 +
 
 +
## IP adresses ##
 +
 
 +
# WAN adress
 
gw2_ext = "213.125.94.212"
 
gw2_ext = "213.125.94.212"
icmp_types="echoreq"
 
tcp_services="{ ssh }"
 
private_networks="{ 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 255.255.255.255/32, 127.0.0.0/8 }"
 
  
### Skip Policy ###
+
# Local adress ranges
 +
private_networks = "{ 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 255.255.255.255/32 127.0.0.0/8 }"
  
# Skip any filtering if it is on infterface localhost
+
 
 +
########################
 +
### Default Policies ###
 +
########################
 +
 
 +
# Skip any filtering if it is on interface localhost
 
set skip on lo
 
set skip on lo
  
### Block Policy ###
+
# Provide nice blocked messages
 +
set block-policy return
 +
 
 +
# Block all unless a allow rule exists
 +
block all
 +
 
 +
 
 +
#######################
 +
### Cleanup Packets ###
 +
#######################
 +
 
 +
# Reassemble packets
 +
set reassemble yes
 +
 
 +
# Scrub packets
 +
match in all scrub (max-mss 1472)
 +
match out all scrub (random-id)
 +
 
 +
# Antispoof
 +
antispoof quick for { $ext_if } inet
 +
 
 +
# Block bogus packets
 +
block in quick on $ext_if from no-route to any
 +
block in quick on $ext_if from any to 255.255.255.255
 +
block in quick on $ext_if from any to $private_networks
 +
block in quick on $ext_if from $private_networks to any
 +
block return out quick on $ext_if from any to $private_networks
 +
 
 +
 
 +
############
 +
### NAT ####
 +
############
 +
 
 +
# NAT all interfaces to WAN
 +
match out on $ext_if from any to any nat-to $gw2_ext
 +
 
 +
 
 +
#####################
 +
### SPECIAL rules ###
 +
#####################
 +
 
 +
# Help with Active and Passive FTP
 +
anchor "ftp-proxy/*"
 +
pass in quick on $int_if proto tcp from any to port 21 rdr-to 127.0.0.1 port 8021
 +
 
 +
 
 +
######################
 +
### Pass IN rules  ###
 +
######################
 +
 
 +
# Allow incoming GRE (VPN) protocal on WAN interface
 +
pass in on $ext_if proto gre all keep state
 +
 
 +
# Allow incoming SSH and ICMP on WAN interface
 +
pass in on $ext_if inet proto tcp from any to $gw2_ext port 22
 +
pass in on $ext_if inet proto icmp from any to $gw2_ext icmp-type echoreq
 +
 
 +
# Allow incoming ALL on LAN interfaces
 +
pass in on $int_if
 +
 
 +
# Allow incoming ALL on VLAN Interfaces
 +
pass in on $vlan_if
 +
 
 +
 
 +
######################
 +
### Redirect rules ###
 +
######################
 +
 
 +
 
 +
### VPN ###
 +
 
 +
# Redirect port 1723 to 10.0.10.101
 +
 
 +
pass in on $ext_if inet proto tcp from any to $gw2_ext port 1723 rdr-to 10.0.10.101
 +
pass in on $ext_if inet proto udp from any to $gw2_ext port 500 rdr-to 10.0.10.101
 +
pass in on $ext_if inet proto udp from any to $gw2_ext port 5500 rdr-to 10.0.10.101
 +
pass in on $ext_if inet proto udp from any to $gw2_ext port 1701 rdr-to 10.0.10.101
 +
 
 +
######################
 +
### Pass OUT rules ###
 +
######################
 +
 
 +
# Allow outgoing traffic on WAN from any
 +
# pass out on $ext_if from any
 +
pass out on $ext_if proto { tcp udp icmp esp gre } from any modulate state
 +
 
 +
 
 +
# Allow outgoing traffic on LAN from LAN
 +
pass out on $int_if from $int_if
 +
 
 +
# Allow outgoing traffic to VLAN50 and VLAN57 from non-private range 10.0.0.0/8
 +
# Somehow it doesnt work with variables. Don't use any to prevent other vlans from entering.
 +
pass out on vlan10 from ! 10.0.0.0/8
 +
pass out on vlan50 from ! 10.0.0.0/8
 +
pass out on vlan57 from ! 10.0.0.0/8
 +
 
 +
 
 +
# Allow outgoing traffic on VLAN from same VLAN (Block InterVLAN)
 +
pass out on vlan10 from vlan10:network
 +
pass out on vlan11 from vlan11:network
 +
pass out on vlan12 from vlan12:network
 +
pass out on vlan13 from vlan13:network
 +
pass out on vlan14 from vlan14:network
 +
pass out on vlan15 from vlan15:network
 +
pass out on vlan16 from vlan16:network
 +
pass out on vlan17 from vlan17:network
 +
pass out on vlan18 from vlan18:network
 +
pass out on vlan19 from vlan19:network
 +
pass out on vlan20 from vlan20:network
 +
pass out on vlan21 from vlan21:network
 +
pass out on vlan22 from vlan22:network
 +
pass out on vlan23 from vlan23:network
 +
pass out on vlan24 from vlan24:network
 +
pass out on vlan25 from vlan25:network
 +
pass out on vlan26 from vlan26:network
 +
pass out on vlan27 from vlan27:network
 +
pass out on vlan28 from vlan28:network
 +
pass out on vlan29 from vlan29:network
 +
# pass out on vlan30 from vlan30:network ()
 +
pass out on vlan31 from vlan31:network
 +
pass out on vlan32 from vlan32:network
 +
# pass out on vlan33 from vlan33:network ()
 +
pass out on vlan34 from vlan34:network
 +
pass out on vlan35 from vlan35:network
 +
pass out on vlan36 from vlan36:network
 +
pass out on vlan37 from vlan37:network
 +
pass out on vlan38 from vlan38:network
 +
pass out on vlan39 from vlan39:network
 +
pass out on vlan40 from vlan40:network
 +
pass out on vlan41 from vlan41:network
 +
pass out on vlan42 from vlan42:network
 +
pass out on vlan43 from vlan43:network
 +
pass out on vlan44 from vlan44:network
 +
pass out on vlan45 from vlan45:network
 +
pass out on vlan46 from vlan46:network
 +
pass out on vlan47 from vlan47:network
 +
pass out on vlan48 from vlan48:network
 +
pass out on vlan49 from vlan49:network
 +
pass out on vlan50 from vlan50:network
 +
pass out on vlan51 from vlan51:network
 +
pass out on vlan52 from vlan52:network
 +
pass out on vlan53 from vlan53:network
 +
pass out on vlan54 from vlan54:network
 +
pass out on vlan55 from vlan55:network
 +
pass out on vlan56 from vlan56:network
 +
pass out on vlan57 from vlan57:network
 +
 
 +
# Allow outgoing traffic from/to VLANS 50-55, VLAN 57
 +
 
 +
intervlan_interfaces = "{vlan50 vlan51 vlan52 vlan53 vlan54 vlan55 vlan57}"
 +
intervlan_network = "{vlan50:network vlan51:network vlan52:network vlan53:network vlan54:network vlan55:network vlan56:network vlan57:network}"
 +
 
 +
pass out on $intervlan_interfaces from $intervlan_network
 +
 
 +
 
 +
# VPN TEST
 +
pass in on $ext_if proto gre all keep state
 +
pass out on $ext_if proto gre all keep state
 +
 
 +
</pre>
 +
 
 +
 
 +
PUTGRAAF
 +
 
 +
<pre>
 +
 
 +
# PF Rules ACKspace gateway Putgraaf
 +
 
 +
 
 +
############################
 +
### Macros / Definitions ###
 +
############################
 +
 
 +
## Interfaces ##
 +
 
 +
# WAN interface
 +
ext_if = "em0"
 +
 
 +
# LAN interface
 +
int_if = "em1"
 +
 
 +
# VLAN interfaces
 +
vlan_if = "{ vlan10 vlan11 vlan12 vlan13 vlan14 vlan15 vlan16 vlan17 vlan18 vlan19 vlan20 }"
 +
 
 +
 
 +
## IP adresses ##
 +
 
 +
# WAN adress
 +
gw_ext = $ext_if:0
 +
 
 +
# Local address ranges
 +
private_networks = "{ 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 255.255.255.255/32 127.0.0.0/8 }"
 +
 
 +
 
 +
 
 +
####
 +
# IPV6
 +
####
 +
 
 +
 
 +
# Allow incoming IPv6 traffic
 +
pass in quick on $ext_if inet proto ipv6 keep state
 +
pass in quick on gif0 inet6 all
 +
 
 +
# Allow outgoing IPv6 traffic
 +
pass out quick on $ext_if inet proto ipv6 keep state
 +
pass out quick on gif0 inet6 all keep state
 +
pass out quick on vlan20 inet6 all keep state
 +
pass out quick on vlan10 inet6 all keep state
 +
 
 +
 
 +
 
 +
########################
 +
### Priority        ###
 +
########################
 +
 
 +
altq on $ext_if priq bandwidth 10000Kb queue { q_ack, q_dns, q_ssh, q_web, q_normal, q_bittorrent }
 +
queue q_ack priority 7
 +
queue q_dns priority 6
 +
queue q_ssh priority 5
 +
queue q_web priority 4
 +
queue q_normal priority 1 priq(default)
 +
queue q_bittorrent priority 0
 +
 
 +
 
 +
########################
 +
### Default Policies ###
 +
########################
 +
 
 +
# Skip any filtering if it is on interface localhost
 +
set skip on lo
  
 
# Provide nice blocked messages
 
# Provide nice blocked messages
 
set block-policy return
 
set block-policy return
  
 +
# Block all unless a allow rule exists
 +
block all
 +
 +
 +
#######################
 +
### Cleanup Packets ###
 +
#######################
 +
 +
# Reassemble packets
 +
set reassemble yes
 +
 +
# Scrub packets
 +
match in all scrub (max-mss 1472)
 +
match out all scrub (random-id)
 +
 +
# Antispoof
 +
antispoof quick for { $ext_if } inet
 +
 +
# Block bogus packets
 +
block in quick on $ext_if from no-route to any
 +
block in quick on $ext_if from any to 255.255.255.255
 +
block in quick on $ext_if from any to $private_networks
 +
block in quick on $ext_if from $private_networks to any
 +
block return out quick on $ext_if from any to $private_networks
  
### Default Policy ###
 
  
# Block all unless a allow rule exists
+
############
block in log
+
### NAT ####
block out log
+
############
 +
 
 +
# NAT all interfaces to WAN
 +
match out on $ext_if inet from !($ext_if:network) to any nat-to $gw_ext
 +
 
 +
 
 +
#####################
 +
### SPECIAL rules ###
 +
#####################
 +
 
 +
# Help with Active and Passive FTP
 +
anchor "ftp-proxy/*"
 +
pass in quick on $int_if proto tcp from any to port 21 rdr-to 127.0.0.1 port 8021
 +
 
 +
 
 +
######################
 +
### Pass IN rules  ###
 +
######################
 +
 
 +
# Allow incoming SSH and ICMP on WAN interface
 +
pass in on $ext_if inet proto tcp from any to $gw_ext port 22
 +
pass in on $ext_if inet proto icmp from any to $gw_ext icmp-type echoreq
 +
 
 +
# Prioritize ACK states
 +
pass in on $ext_if inet proto tcp from any to $ext_if flags S/SA modulate state queue (q_normal, q_ack)
 +
 
 +
 
 +
# Allow incoming ALL on LAN interfaces
 +
pass in on $int_if
 +
 
 +
# Allow incoming ALL on VLAN Interfaces
 +
pass in on $vlan_if
 +
 
 +
 
 +
######################
 +
### Redirect rules ###
 +
######################
 +
 
 +
 
 +
 
 +
 
 +
## ACKspace CAM /  10.1.10.253
 +
#
 +
# TCP port 25380 to port 80 (HTTP)
 +
pass in on $ext_if proto tcp from any to $gw_ext port 25380 rdr-to 10.1.10.253 port 80
 +
##
 +
 
 +
## ACKspace CAM2 / 10.1.10.252
 +
#
 +
# TCP port 25280 to port 80 (HTTP)
 +
pass in on $ext_if proto tcp from any to $gw_ext port 25280 rdr-to 10.1.10.252 port 80
 +
##
 +
 
 +
## ACKspace ZoneMinder / 10.1.10.119
 +
#
 +
# TCP port 11980 to port 80 (HTTP)
 +
pass in on $ext_if proto tcp from any to $gw_ext port 11980 rdr-to 10.1.10.119 port 80
 +
##
 +
 
 +
## VM Debian OpenVPN / 10.1.20.13
 +
#
 +
# TCP port 13022 to port 22 (SSH)
 +
  pass in on $ext_if inet proto tcp from any to $gw_ext port 13022 rdr-to 10.1.20.13 port 22
 +
# TCP port 13443 to port 443(VPN TUNNEL TCP)
 +
  pass in on $ext_if inet proto tcp from any to $gw_ext port 13443 rdr-to 10.1.20.13 port 443
 +
# TCP port 443 (HTTPS / VPN TUNNEL TCP)
 +
  pass in on $ext_if inet proto tcp from any to $gw_ext port 443 rdr-to 10.1.20.13
 +
# UDP port 1194 (OpenVPN / VPN TUNNEL UDP)
 +
  pass in on $ext_if inet proto udp from any to $gw_ext port 1194 rdr-to 10.1.20.13
 +
##
 +
 
 +
## Mailman / 10.1.20.19
 +
#
 +
# TCP port 25 to port 25 (SMTP)
 +
  pass in on $ext_if inet proto tcp from any to $gw_ext port 25 rdr-to 10.1.20.19 port 25
 +
# TCP port 19080 to port 80 (HTTP)
 +
  pass in on $ext_if inet proto tcp from any to $gw_ext port 19080 rdr-to 10.1.20.19 port 80
 +
 
 +
 
 +
## Gforge / 10.1.20.20
 +
#
 +
# TCP port 20080 to port 20080 (HTTP)
 +
  pass in on $ext_if inet proto tcp from any to $gw_ext port 20080 rdr-to 10.1.20.20 port 20080
 +
 
 +
pass in on $ext_if inet6 proto udp from any to  any
 +
pass in on gif0 inet6 proto udp from any to any
 +
 
 +
 
 +
 
 +
## VM Debian / 10.1.20.22
 +
#
 +
# TCP port 22022 to port 22 (SSH)
 +
  pass in on $ext_if inet proto tcp from any to $gw_ext port 22022 rdr-to 10.1.20.22 port 22
 +
 
 +
 
 +
## Playstation / 10.1.10.230
 +
#
 +
 
 +
# match out log on $ext_if from !10.1.10.230 to any received-on $int_if tag EGRESS nat-to ($ext_if:0)
 +
# match out log on $ext_if from 10.1.10.230 to any received-on $int_if tag EGRESS nat-to ($ext_if:0) static-port
 +
# pass out quick on $ext_if from 10.1.10.230
 +
# pass in quick on $ext_if inet proto { tcp udp } from 198.107.156.152 to $gw_ext rdr-to 10.1.10.230
 +
 
 +
#pass in quick on $ext_if inet proto tcp from any to $gw_ext port 1723 rdr-to 10.1.11.103 port 1723
 +
 
 +
# TCP + UDP port 3478,3479,3658,5223,9293
 +
#pass in quick on $ext_if inet proto { tcp udp } from any to $gw_ext port 3074 rdr-to 10.1.10.126 port 3074
 +
#ass in quick on $ext_if inet proto { tcp udp } from any to $gw_ext port 3478 rdr-to 10.1.10.126 port 3478
 +
#ass in quick on $ext_if inet proto { tcp udp } from any to $gw_ext port 3479 rdr-to 10.1.10.126 port 3479
 +
#ass in quick on $ext_if inet proto { tcp udp } from any to $gw_ext port 3658 rdr-to 10.1.10.126 port 3658
 +
#ass in quick on $ext_if inet proto { tcp udp } from any to $gw_ext port 5223 rdr-to 10.1.10.126 port 5223
 +
#ass in quick on $ext_if inet proto { tcp udp } from any to $gw_ext port 9293 rdr-to 10.1.10.126 port 9293
 +
 
 +
##  Xbox 360 / 10.1.15.1
 +
#
 +
# TCP + §UDP ports 3074, UDP ports 88
 +
pass in quick on $ext_if inet proto { tcp udp } from any to $gw_ext port 3074 rdr-to 10.1.15.1 port 3074
 +
pass in quick on $ext_if inet proto udp from any to $gw_ext port 88 rdr-to 10.1.15.1 port 88
 +
 
 +
######################
 +
### Pass OUT rules ###
 +
######################
 +
 
 +
# Allow outgoing traffic on WAN from any
 +
pass out on $ext_if proto { tcp udp icmp esp gre } from any modulate state
 +
 
 +
# Prioritize
 +
pass out on $ext_if proto tcp from $ext_if to any flags S/SA modulate state queue (q_nomal, q_ack)
 +
pass out on $ext_if proto tcp from $ext_if to any port { 80, 443 } flags S/SA modulate state queue (q_web, q_ack)
 +
 
 +
# Allow outgoing traffic on LAN from LAN
 +
pass out on $int_if from $int_if
 +
 
 +
# Allow outgoing traffic to VLANxx from non-private range 10.1.0.0/8
 +
# Somehow it doesnt work with variables
 +
pass out on vlan10 from ! 10.1.0.0/8
 +
pass out on vlan20 from ! 10.1.0.0/8
 +
 
 +
# Allow outgoing traffic on VLAN from same VLAN (Block InterVLAN)
 +
pass out on vlan10 from vlan10:network
 +
pass out on vlan11 from vlan11:network
 +
pass out on vlan12 from vlan12:network
 +
pass out on vlan13 from vlan13:network
 +
pass out on vlan14 from vlan14:network
 +
pass out on vlan15 from vlan15:network
 +
pass out on vlan16 from vlan16:network
 +
pass out on vlan17 from vlan17:network
 +
pass out on vlan18 from vlan18:network
 +
pass out on vlan19 from vlan19:network
 +
pass out on vlan20 from vlan20:network
 +
 
 +
# Allow outgoing traffic from/to VLAN 10, VLAN20
 +
 
 +
intervlan_interfaces = "{vlan10 vlan20}"
 +
intervlan_network = "{vlan10:network vlan20:network}"
 +
 
 +
pass out on $intervlan_interfaces from $intervlan_network
 +
 
 +
pass out on $int_if from vlan20:network
 +
pass out on vlan20 from $int_if:network
  
 
</pre>
 
</pre>
 +
[[Category:Network]]

Latest revision as of 17:26, 18 February 2016

Project: OpenBSD Firewall / PF
Featured:
State Completed
Members Vicarious, PsychiC
GitHub No GitHub project defined. Add your project here.
Description building a gateway on openbsd
Picture
No project picture! Fill in form Picture or Upload a jpeg here

I have dumped the entire config so others can use this as template for their own PF setup or to shout OMGWTFBBQ u freakin' n00b you should do it like XYZ.

In the latter case either drop me an e-mail (psychic [monkeytailthingie] ackspace [lowerroundthingie] nl , join ACKspace and help out or simply STFU =D


MEUK

Meer devices maken anders breekt DHCP enzo.... gewoon genoeg aanmaken, hier worden er 20 extra bijgemaakt.

`cd /dev;for i in {10..30}; do ./MAKEDEV bpf$i ; done`


Pad toevoegen om packages te downen

export PKG_PATH=http://ftp.bit.nl/mirror/OpenBSD/5.0/packages/i386/

zet in ~/.profile


/etc/mygate is default gateway



RULESDUMP 26-November-2102 Namen etc verwijderd :)

GW2 (GW1 = RIP)

# PF Rules ACKspace gateway 2


############################
### Macros / Definitions ###
############################

## Interfaces ##

# WAN interface
ext_if = "fxp0"

# LAN interface
int_if = "fxp1"

# VLAN interfaces (VLAN30 + VLAN33 Excluded)
vlan_if = "{ \
vlan10 vlan11 vlan12 vlan13 vlan14 vlan15 vlan16 vlan17 vlan18 vlan19 \
vlan20 vlan21 vlan22 vlan23 vlan24 vlan25 vlan26 vlan27 vlan28 vlan29 \
vlan31 vlan32 vlan34 vlan35 vlan36 vlan37 vlan38 vlan39 \
vlan40 vlan41 vlan42 vlan43 vlan44 vlan45 vlan46 vlan47 vlan48 vlan49 \
vlan50 vlan51 vlan52 vlan53 vlan54 vlan55 vlan56 vlan57}"


## IP adresses ##

# WAN adress
gw2_ext = "213.125.94.212"

# Local adress ranges
private_networks = "{ 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 255.255.255.255/32 127.0.0.0/8 }"


########################
### Default Policies ###
########################

# Skip any filtering if it is on interface localhost
set skip on lo

# Provide nice blocked messages
set block-policy return

# Block all unless a allow rule exists
block all


#######################
### Cleanup Packets ###
#######################

# Reassemble packets
set reassemble yes

# Scrub packets
match in all scrub (max-mss 1472)
match out all scrub (random-id)

# Antispoof
antispoof quick for { $ext_if } inet

# Block bogus packets
block in quick on $ext_if from no-route to any
block in quick on $ext_if from any to 255.255.255.255
block in quick on $ext_if from any to $private_networks
block in quick on $ext_if from $private_networks to any
block return out quick on $ext_if from any to $private_networks


############
### NAT ####
############

# NAT all interfaces to WAN
match out on $ext_if from any to any nat-to $gw2_ext


#####################
### SPECIAL rules ###
#####################

# Help with Active and Passive FTP
anchor "ftp-proxy/*"
pass in quick on $int_if proto tcp from any to port 21 rdr-to 127.0.0.1 port 8021


######################
### Pass IN rules  ###
######################

# Allow incoming GRE (VPN) protocal on WAN interface
pass in on $ext_if proto gre all keep state

# Allow incoming SSH and ICMP on WAN interface
pass in on $ext_if inet proto tcp from any to $gw2_ext port 22
pass in on $ext_if inet proto icmp from any to $gw2_ext icmp-type echoreq

# Allow incoming ALL on LAN interfaces
pass in on $int_if

# Allow incoming ALL on VLAN Interfaces
pass in on $vlan_if


######################
### Redirect rules ###
######################


### VPN ###

# Redirect port 1723 to 10.0.10.101

pass in on $ext_if inet proto tcp from any to $gw2_ext port 1723 rdr-to 10.0.10.101
pass in on $ext_if inet proto udp from any to $gw2_ext port 500 rdr-to 10.0.10.101
pass in on $ext_if inet proto udp from any to $gw2_ext port 5500 rdr-to 10.0.10.101
pass in on $ext_if inet proto udp from any to $gw2_ext port 1701 rdr-to 10.0.10.101

######################
### Pass OUT rules ###
######################

# Allow outgoing traffic on WAN from any
# pass out on $ext_if from any
pass out on $ext_if proto { tcp udp icmp esp gre } from any modulate state


# Allow outgoing traffic on LAN from LAN
pass out on $int_if from $int_if

# Allow outgoing traffic to VLAN50 and VLAN57 from non-private range 10.0.0.0/8
# Somehow it doesnt work with variables. Don't use any to prevent other vlans from entering.
pass out on vlan10 from ! 10.0.0.0/8
pass out on vlan50 from ! 10.0.0.0/8
pass out on vlan57 from ! 10.0.0.0/8


# Allow outgoing traffic on VLAN from same VLAN (Block InterVLAN)
pass out on vlan10 from vlan10:network
pass out on vlan11 from vlan11:network
pass out on vlan12 from vlan12:network
pass out on vlan13 from vlan13:network
pass out on vlan14 from vlan14:network
pass out on vlan15 from vlan15:network
pass out on vlan16 from vlan16:network
pass out on vlan17 from vlan17:network
pass out on vlan18 from vlan18:network
pass out on vlan19 from vlan19:network
pass out on vlan20 from vlan20:network
pass out on vlan21 from vlan21:network
pass out on vlan22 from vlan22:network
pass out on vlan23 from vlan23:network
pass out on vlan24 from vlan24:network
pass out on vlan25 from vlan25:network
pass out on vlan26 from vlan26:network
pass out on vlan27 from vlan27:network
pass out on vlan28 from vlan28:network
pass out on vlan29 from vlan29:network
# pass out on vlan30 from vlan30:network ()
pass out on vlan31 from vlan31:network
pass out on vlan32 from vlan32:network
# pass out on vlan33 from vlan33:network ()
pass out on vlan34 from vlan34:network
pass out on vlan35 from vlan35:network
pass out on vlan36 from vlan36:network
pass out on vlan37 from vlan37:network
pass out on vlan38 from vlan38:network
pass out on vlan39 from vlan39:network
pass out on vlan40 from vlan40:network
pass out on vlan41 from vlan41:network
pass out on vlan42 from vlan42:network
pass out on vlan43 from vlan43:network
pass out on vlan44 from vlan44:network
pass out on vlan45 from vlan45:network
pass out on vlan46 from vlan46:network
pass out on vlan47 from vlan47:network
pass out on vlan48 from vlan48:network
pass out on vlan49 from vlan49:network
pass out on vlan50 from vlan50:network
pass out on vlan51 from vlan51:network
pass out on vlan52 from vlan52:network
pass out on vlan53 from vlan53:network
pass out on vlan54 from vlan54:network
pass out on vlan55 from vlan55:network
pass out on vlan56 from vlan56:network
pass out on vlan57 from vlan57:network

# Allow outgoing traffic from/to VLANS 50-55, VLAN 57

intervlan_interfaces = "{vlan50 vlan51 vlan52 vlan53 vlan54 vlan55 vlan57}"
intervlan_network = "{vlan50:network vlan51:network vlan52:network vlan53:network vlan54:network vlan55:network vlan56:network vlan57:network}"

pass out on $intervlan_interfaces from $intervlan_network


# VPN TEST
pass in on $ext_if proto gre all keep state
pass out on $ext_if proto gre all keep state


PUTGRAAF


# PF Rules ACKspace gateway Putgraaf


############################
### Macros / Definitions ###
############################

## Interfaces ##

# WAN interface
ext_if = "em0"

# LAN interface
int_if = "em1"

# VLAN interfaces
vlan_if = "{ vlan10 vlan11 vlan12 vlan13 vlan14 vlan15 vlan16 vlan17 vlan18 vlan19 vlan20 }"


## IP adresses ##

# WAN adress
gw_ext = $ext_if:0

# Local address ranges
private_networks = "{ 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 255.255.255.255/32 127.0.0.0/8 }"



####
# IPV6
####


# Allow incoming IPv6 traffic
pass in quick on $ext_if inet proto ipv6 keep state
pass in quick on gif0 inet6 all

# Allow outgoing IPv6 traffic
pass out quick on $ext_if inet proto ipv6 keep state
pass out quick on gif0 inet6 all keep state
pass out quick on vlan20 inet6 all keep state
pass out quick on vlan10 inet6 all keep state



########################
### Priority         ###
########################

altq on $ext_if priq bandwidth 10000Kb queue { q_ack, q_dns, q_ssh, q_web, q_normal, q_bittorrent }
queue q_ack priority 7
queue q_dns priority 6
queue q_ssh priority 5
queue q_web priority 4
queue q_normal priority 1 priq(default)
queue q_bittorrent priority 0


########################
### Default Policies ###
########################

# Skip any filtering if it is on interface localhost
set skip on lo

# Provide nice blocked messages
set block-policy return

# Block all unless a allow rule exists
block all


#######################
### Cleanup Packets ###
#######################

# Reassemble packets
set reassemble yes

# Scrub packets
match in all scrub (max-mss 1472)
match out all scrub (random-id)

# Antispoof
antispoof quick for { $ext_if } inet

# Block bogus packets
block in quick on $ext_if from no-route to any
block in quick on $ext_if from any to 255.255.255.255
block in quick on $ext_if from any to $private_networks
block in quick on $ext_if from $private_networks to any
block return out quick on $ext_if from any to $private_networks


############
### NAT ####
############

# NAT all interfaces to WAN
match out on $ext_if inet from !($ext_if:network) to any nat-to $gw_ext


#####################
### SPECIAL rules ###
#####################

# Help with Active and Passive FTP
anchor "ftp-proxy/*"
pass in quick on $int_if proto tcp from any to port 21 rdr-to 127.0.0.1 port 8021


######################
### Pass IN rules  ###
######################

# Allow incoming SSH and ICMP on WAN interface
pass in on $ext_if inet proto tcp from any to $gw_ext port 22
pass in on $ext_if inet proto icmp from any to $gw_ext icmp-type echoreq

# Prioritize ACK states
pass in on $ext_if inet proto tcp from any to $ext_if flags S/SA modulate state queue (q_normal, q_ack)


# Allow incoming ALL on LAN interfaces
pass in on $int_if

# Allow incoming ALL on VLAN Interfaces
pass in on $vlan_if


######################
### Redirect rules ###
######################




## ACKspace CAM /  10.1.10.253
#
# TCP port 25380 to port 80 (HTTP)
 pass in on $ext_if proto tcp from any to $gw_ext port 25380 rdr-to 10.1.10.253 port 80
##

## ACKspace CAM2 / 10.1.10.252
#
# TCP port 25280 to port 80 (HTTP)
 pass in on $ext_if proto tcp from any to $gw_ext port 25280 rdr-to 10.1.10.252 port 80
##

## ACKspace ZoneMinder / 10.1.10.119
#
# TCP port 11980 to port 80 (HTTP)
 pass in on $ext_if proto tcp from any to $gw_ext port 11980 rdr-to 10.1.10.119 port 80
##

## VM Debian OpenVPN / 10.1.20.13
#
# TCP port 13022 to port 22 (SSH)
  pass in on $ext_if inet proto tcp from any to $gw_ext port 13022 rdr-to 10.1.20.13 port 22
# TCP port 13443 to port 443(VPN TUNNEL TCP)
  pass in on $ext_if inet proto tcp from any to $gw_ext port 13443 rdr-to 10.1.20.13 port 443
# TCP port 443 (HTTPS / VPN TUNNEL TCP)
  pass in on $ext_if inet proto tcp from any to $gw_ext port 443 rdr-to 10.1.20.13
# UDP port 1194 (OpenVPN / VPN TUNNEL UDP)
  pass in on $ext_if inet proto udp from any to $gw_ext port 1194 rdr-to 10.1.20.13
##

## Mailman / 10.1.20.19
#
# TCP port 25 to port 25 (SMTP)
  pass in on $ext_if inet proto tcp from any to $gw_ext port 25 rdr-to 10.1.20.19 port 25
# TCP port 19080 to port 80 (HTTP)
  pass in on $ext_if inet proto tcp from any to $gw_ext port 19080 rdr-to 10.1.20.19 port 80


## Gforge / 10.1.20.20
#
# TCP port 20080 to port 20080 (HTTP)
  pass in on $ext_if inet proto tcp from any to $gw_ext port 20080 rdr-to 10.1.20.20 port 20080

pass in on $ext_if inet6 proto udp from any to  any
pass in on gif0 inet6 proto udp from any to any



## VM Debian / 10.1.20.22
#
# TCP port 22022 to port 22 (SSH)
  pass in on $ext_if inet proto tcp from any to $gw_ext port 22022 rdr-to 10.1.20.22 port 22


## Playstation / 10.1.10.230
#

# match out log on $ext_if from !10.1.10.230 to any received-on $int_if tag EGRESS nat-to ($ext_if:0)
# match out log on $ext_if from 10.1.10.230 to any received-on $int_if tag EGRESS nat-to ($ext_if:0) static-port
# pass out quick on $ext_if from 10.1.10.230
# pass in quick on $ext_if inet proto { tcp udp } from 198.107.156.152 to $gw_ext rdr-to 10.1.10.230

#pass in quick on $ext_if inet proto tcp from any to $gw_ext port 1723 rdr-to 10.1.11.103 port 1723

# TCP + UDP port 3478,3479,3658,5223,9293
#pass in quick on $ext_if inet proto { tcp udp } from any to $gw_ext port 3074 rdr-to 10.1.10.126 port 3074
#ass in quick on $ext_if inet proto { tcp udp } from any to $gw_ext port 3478 rdr-to 10.1.10.126 port 3478
#ass in quick on $ext_if inet proto { tcp udp } from any to $gw_ext port 3479 rdr-to 10.1.10.126 port 3479
#ass in quick on $ext_if inet proto { tcp udp } from any to $gw_ext port 3658 rdr-to 10.1.10.126 port 3658
#ass in quick on $ext_if inet proto { tcp udp } from any to $gw_ext port 5223 rdr-to 10.1.10.126 port 5223
#ass in quick on $ext_if inet proto { tcp udp } from any to $gw_ext port 9293 rdr-to 10.1.10.126 port 9293

##  Xbox 360 / 10.1.15.1
#
# TCP + §UDP ports 3074, UDP ports 88
pass in quick on $ext_if inet proto { tcp udp } from any to $gw_ext port 3074 rdr-to 10.1.15.1 port 3074
pass in quick on $ext_if inet proto udp from any to $gw_ext port 88 rdr-to 10.1.15.1 port 88

######################
### Pass OUT rules ###
######################

# Allow outgoing traffic on WAN from any
pass out on $ext_if proto { tcp udp icmp esp gre } from any modulate state

# Prioritize
pass out on $ext_if proto tcp from $ext_if to any flags S/SA modulate state queue (q_nomal, q_ack)
pass out on $ext_if proto tcp from $ext_if to any port { 80, 443 } flags S/SA modulate state queue (q_web, q_ack)

# Allow outgoing traffic on LAN from LAN
pass out on $int_if from $int_if

# Allow outgoing traffic to VLANxx from non-private range 10.1.0.0/8
# Somehow it doesnt work with variables
pass out on vlan10 from ! 10.1.0.0/8
pass out on vlan20 from ! 10.1.0.0/8

# Allow outgoing traffic on VLAN from same VLAN (Block InterVLAN)
pass out on vlan10 from vlan10:network
pass out on vlan11 from vlan11:network
pass out on vlan12 from vlan12:network
pass out on vlan13 from vlan13:network
pass out on vlan14 from vlan14:network
pass out on vlan15 from vlan15:network
pass out on vlan16 from vlan16:network
pass out on vlan17 from vlan17:network
pass out on vlan18 from vlan18:network
pass out on vlan19 from vlan19:network
pass out on vlan20 from vlan20:network

# Allow outgoing traffic from/to VLAN 10, VLAN20

intervlan_interfaces = "{vlan10 vlan20}"
intervlan_network = "{vlan10:network vlan20:network}"

pass out on $intervlan_interfaces from $intervlan_network

pass out on $int_if from vlan20:network
pass out on vlan20 from $int_if:network