View Single Post
Old 18th December 2013
capt_cosmo capt_cosmo is offline
New User
 
Join Date: Dec 2013
Posts: 9
Default

jggimi, this is the head revision of my script:

Code:
# interfaces
if_lan="vr0"
if_wlan="vr2"

if_wan="pppoe0"
if_wan_bandwith="1400Kb"

# tables
table <private_nets> const { 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 }

# qos definitions
que_low_ports = "{ http, https, 8080, smtp, smtps, 6881:6889 }"
que_int_ports_tcp = "{ ssh, 5060, 5061,  5190,  5222, 5223, irc, 3478, 3479, 3480, 5223 }"
que_int_ports_udp = "{ 5060, 5061,  3478, 3479 }"

# allow lo communication
set skip on lo
set block-policy drop

# scrubbing
match in all scrub (no-df random-id)
match out on $if_wan all scrub (random-id)
match on $if_wan scrub (max-mss 1440)

# qos
altq on $if_wan priq bandwidth $if_wan_bandwith queue { que_low, que_def, que_int, que_dns, que_ack }

queue que_low priq(default) qlimit 80
queue que_def priority 2 
queue que_int priority 4 priq(red)
queue que_dns priority 5 qlimit 25
queue que_ack priority 6 

# nat (use "static-port" for crappy Playstation Network)
match out on $if_wan inet from { $if_lan:network, $if_wlan:network } to any nat-to ($if_wan) static-port

# filtering
# block all packets
block log all

# enable spoofing protection
antispoof quick for { lo $if_wan $if_lan $if_wlan }

# reject ipv6
block quick on $if_wan inet6 all

# block private addresses on external interfaces
block drop in  quick on $if_wan from <private_nets>
block drop out quick on $if_wan to   <private_nets>

# qos: fill queues 
pass out quick on $if_wan proto tcp to port $que_low_ports queue (que_low, que_ack)
pass out quick on $if_wan proto tcp to port $que_int_ports_tcp queue (que_int, que_ack)
pass out quick on $if_wan proto udp to port $que_int_ports_udp queue (que_int, que_ack)
pass out quick on $if_wan proto { tcp, udp } to port domain queue (que_dns, que_ack)
pass out quick on $if_wan queue (que_def, que_ack)

# allow output
# I guess this is point where I'm starting to mess up
pass out quick 

# allow services
# allow ssh from if_lan
pass in quick on $if_lan proto tcp from $if_lan:network to $if_lan port ssh

# allow dhcp from if_wlan
pass in quick on $if_wlan proto { tcp, udp } from $if_wlan:network to $if_wlan port 67 
pass in quick on $if_wlan proto { tcp, udp } from $if_wlan:network to $if_wlan port 68

# block any -> lan
# explicitely blocking something seems absurd to me...
block in quick to $if_lan:network

# block wlan -> wlan
block in quick from $if_wlan:network to $if_wlan:network

# pass lan -> any
# if I disable comment this rule, there's no connection to the internet from if_lan
pass in quick on $if_lan from $if_lan:network

# pass wlan -> any 
# if I disable comment this rule, there's no connection to the internet from if_wlan
pass in quick on $if_wlan from $if_wlan:network
Thank you for your suggestions and your efforts!
Reply With Quote