Hello everyone! I'm new to this forum, but I've using OpenBSD for some months now.
I wanted to present my PF configuration to the OP, but also to the members of this forum, for comments basically, if any.
I don't consider the configuration to be very paranoiac, but I believe it provides good functionality with some strict rules.
If anything seems abnormal, please give an alternative solution
You will notice I am using sshguard too, it can be found under OpenBSD packages.
Code:
services="{ 80, 443, 3689 }"
# don't filter on the loopback interface
set skip on lo0
# scrub incoming packets
match in all scrub (no-df)
# setup a default deny policy for incoming connections
block all
pass out quick modulate state
# activate spoofing protection for all interfaces
block in quick from urpf-failed
# sshguard rules
table <sshguard> persist
block in quick on egress proto tcp from <sshguard> to (egress) port ssh label "ssh bruteforce"
# open ssh port - protect ssh server from bruteforce attacks (actual offenders will be picked up by sshguard)
pass in on egress proto tcp from any to (egress) port ssh synproxy state (max-src-conn 15, max-src-conn-rate 5/3)
# open ports for services - protect services from abusive hosts
pass in on egress proto tcp from any to (egress) port $services synproxy state (max-src-conn 100, max-src-conn-rate 15/5)
# allow IGMP traffic with ip options from rooter
pass in quick on egress proto igmp from X.X.X.X to 224.0.0.0/4 allow-opts
# by default, do not permit remote connections to X11
block in on ! lo0 proto tcp to port 6000:6010