/etc/rc.conf is untouched from 5.2 distribution, other files are:
Code:
# cat /etc/hostname.pppoe0
inet 0.0.0.0 255.255.255.255 NONE \
pppoedev vr1 authproto pap \
authname 'xxxxxx' authkey 'authkey' up
dest 0.0.0.1
!/sbin/route add default -ifp pppoe0 0.0.0.1
# cat /etc/hostname.vr0
inet 192.168.200.245 255.255.255.0
# cat /etc/hostname.vr1
up
# ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33196
priority: 0
groups: lo
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6
inet 127.0.0.1 netmask 0xff000000
vr0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:00:24:c9:57:38
priority: 0
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 192.168.200.245 netmask 0xffffff00 broadcast 192.168.200.255
inet6 fe80::200:24ff:fec9:5738%vr0 prefixlen 64 scopeid 0x1
vr1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:00:24:c9:57:39
priority: 0
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet6 fe80::200:24ff:fec9:5739%vr1 prefixlen 64 scopeid 0x2
pppoe0: flags=8851<UP,POINTOPOINT,RUNNING,SIMPLEX,MULTICAST> mtu 1492
priority: 0
dev: vr1 state: session
sid: 0x6 PADI retries: 0 PADR retries: 0 time: 08:43:03
sppp: phase network authproto pap authname "xxxxxx"
groups: pppoe egress
status: active
inet6 fe80::200:24ff:fec9:5738%pppoe0 -> prefixlen 64 scopeid 0x7
inet [my ext IP] --> [PPP Peer] netmask 0xffffffff
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33196
priority: 0
groups: pflog
# cat /etc/rc.conf.local
syslogd_flags="-a /var/spool/postfix/dev/log -a /var/unbound/dev/log"
# Disable sendmail
sendmail_flags="NO"
ntpd_flags="-s"
# Start on boot
pkg_scripts="postfix sshguard unbound"
/etc/pf.conf
Code:
## Interfaces ##
ExtIf = "pppoe0"
IntIf = "vr0"
VpnIf = "tun0"
PbxHost = "192.168.200.42"
MxHost = "192.168.200.41"
WebHost = "192.168.200.44"
PbxPeer = "[sip peer addr]"
### Queues, States and Types ###
IcmpType ="icmp-type 8 code 0"
IcmpMTUd ="icmp-type 3 code 4"
SshQueue ="(ssh_bulk, ssh_login)"
#SynState ="flags S/SA synproxy state"
TcpState ="flags S/SA modulate state"
UdpState ="keep state"
### Ports ###
FtpPort ="8021"
SshPort ="8022"
OpenVPNPort ="1194"
RtpPorts = "16384:32768"
### Stateful Tracking Options (STO) ###
FtpSTO ="(tcp.established 7200)"
ExtIfSTO ="(max 9000, source-track rule, max-src-conn 2000, max-src-nodes 14)"
IntIfSTO ="(max 150, source-track rule, max-src-conn 50, max-src-nodes 14, max-src-conn-rate 75/20)"
SmtpSTO ="(max 200, source-track rule, max-src-states 50, max-src-nodes 50, max-src-conn-rate 30/10, overload <BLOCKTEMP> flush global)"
SshSTO ="(max 5, source-track rule, max-src-states 5, max-src-nodes 5, max-src-conn-rate 5/60)"
WebSTO ="(max 500, source-track rule, max-src-states 50, max-src-nodes 75, max-src-conn-rate 120/100, overload <BLOCKTEMP> flush global)"
### Tables ###
table <SSHGUARD> counters persist
table <BLOCKTEMP> counters
table <BLOCKPERM> counters file "/etc/pf_block_permanent"
################ Options ######################################################
### Misc Options
set skip on lo
set skip on $VpnIf
set debug urgent
set reassemble yes
set block-policy drop
set loginterface $ExtIf
set state-policy if-bound
set fingerprints "/etc/pf.os"
set ruleset-optimization none
### Timeout Options
set optimization normal
set timeout { tcp.established 600, tcp.closing 60 }
### Block to/from illegal sources/destinations
block in quick on $ExtIfs inet proto tcp from <SSHGUARD> to any port 22 label "ssh bruteforce"
block in quick on $ExtIfs inet proto tcp from <BLOCKTEMP> to any port != ssh
block in quick on $ExtIfs inet proto tcp from <BLOCKPERM> to any port != ssh
block in quick on $ExtIfs inet proto udp from <BLOCKTEMP> to any port != ssh
block in quick on $ExtIfs inet proto udp from <BLOCKPERM> to any port != ssh
block in quick inet proto udp from any to <BLOCKPERM> port != ssh
### BLOCK all in on external interface by default and log
block log on $ExtIf
### Network Address Translation (NAT with outgoing source port randomization)
match out log on $ExtIf proto tcp from $PbxHost port { 5060, 5080, 5090 } to any received-on $IntIf tag EGRESS nat-to ($ExtIf:0) static-port
match out log on $ExtIf proto udp from $PbxHost port { 5060, 5080, 5090 } to any received-on $IntIf tag EGRESS nat-to ($ExtIf:0) static-port
match out log on $ExtIf from !($ExtIf:network) to any nat-to ($ExtIf:0)
### Packet normalization ( "scrubbing" )
### remove "min-ttl 64" if you need native traceroute functions or just use "traceroute -I" instead
match log on $ExtIf all scrub (random-id min-ttl 64 set-tos reliability reassemble tcp max-mss 1440)
### $ExtIf inbound
pass in log on $ExtIf inet proto tcp from !($ExtIf) to ($ExtIf) port { smtp, 2525 } $TcpState $SmtpSTO rdr-to $MxHost
pass in log on $ExtIf inet proto tcp from !($ExtIf) to ($ExtIf) port { 993, 465 } $TcpState rdr-to $MxHost
pass in log on $ExtIf inet proto tcp from !($ExtIf) to ($ExtIf) port { https, http } $TcpState rdr-to $WebHost
pass in log on $ExtIf inet proto udp from !($ExtIf) port $RtpPorts $UdpState
pass in log on $ExtIf inet proto udp from !($ExtIf) port $OpenVPNPort $UdpState
pass in log on $ExtIf inet proto tcp from ($PbxPeer) to ($ExtIf) port { 5060, 5080, 5090 } $TcpState rdr-to $PbxHost
pass in log on $ExtIf inet proto udp from ($PbxPeer) to ($ExtIf) port { 5060, 5080, 5090 } $UdpState rdr-to $PbxHost
pass in log on $ExtIf inet proto tcp from !($ExtIf) to ($ExtIf) port ssh $TcpState $SshSTO
pass in log on $ExtIf inet proto icmp from !($ExtIf) to ($ExtIf) $IcmpType $UdpState
pass in log on $ExtIf inet proto icmp from !($ExtIf) to ($ExtIf) $IcmpMTUd $UdpState
### $ExtIf outbound
pass out log on $ExtIf inet proto tcp from ($ExtIf) to !($ExtIf) $TcpState $ExtIfSTO tagged EGRESS
pass out log on $ExtIf inet proto udp from ($ExtIf) to !($ExtIf) $UdpState $ExtIfSTO tagged EGRESS
pass out log on $ExtIf inet proto icmp from ($ExtIf) to !($ExtIf) $UdpState $ExtIfSTO tagged EGRESS
pass out log on $ExtIf from ($ExtIf)
### $IntIf return (TCP reset) and log internal traffic
block return log on $IntIf
### $IntIf inbound
#pass in log on $IntIf inet proto tcp from $IntIf:network to !$IntIf port www $TcpState $ExtIfSTO
pass in log on $IntIf inet proto tcp from $IntIf:network to !$IntIf port ftp $TcpState $IntIfSTO divert-to 127.0.0.1 port $FtpPort ##obsd 5.1
pass in log on $IntIf
### $IntIf ftp secure secure proxy for LAN
anchor "ftp-proxy/*" in on $IntIf inet proto tcp
### $IntIf outbound
pass out log on $IntIf
pass in log on vr1
pass out log on vr1