View Single Post
  #3   (View Single Post)  
Old 6th September 2013
inversebit inversebit is offline
New User
 
Join Date: Mar 2013
Posts: 2
Default

/etc/rc.conf is untouched from 5.2 distribution, other files are:

Code:
# cat /etc/hostname.pppoe0
inet 0.0.0.0 255.255.255.255 NONE \
        pppoedev vr1 authproto pap \
        authname 'xxxxxx' authkey 'authkey' up
dest 0.0.0.1
!/sbin/route add default -ifp pppoe0 0.0.0.1

# cat /etc/hostname.vr0
inet 192.168.200.245 255.255.255.0

# cat /etc/hostname.vr1
up

# ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33196
        priority: 0
        groups: lo
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6
        inet 127.0.0.1 netmask 0xff000000
vr0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:00:24:c9:57:38
        priority: 0
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet 192.168.200.245 netmask 0xffffff00 broadcast 192.168.200.255
        inet6 fe80::200:24ff:fec9:5738%vr0 prefixlen 64 scopeid 0x1
vr1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:00:24:c9:57:39
        priority: 0
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet6 fe80::200:24ff:fec9:5739%vr1 prefixlen 64 scopeid 0x2
pppoe0: flags=8851<UP,POINTOPOINT,RUNNING,SIMPLEX,MULTICAST> mtu 1492
        priority: 0
        dev: vr1 state: session
        sid: 0x6 PADI retries: 0 PADR retries: 0 time: 08:43:03
        sppp: phase network authproto pap authname "xxxxxx"
        groups: pppoe egress
        status: active
        inet6 fe80::200:24ff:fec9:5738%pppoe0 ->  prefixlen 64 scopeid 0x7
        inet [my ext IP] --> [PPP Peer] netmask 0xffffffff
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33196
        priority: 0
        groups: pflog
       
        
# cat /etc/rc.conf.local
syslogd_flags="-a /var/spool/postfix/dev/log  -a /var/unbound/dev/log"
# Disable sendmail
sendmail_flags="NO"
ntpd_flags="-s"
# Start on boot
pkg_scripts="postfix sshguard unbound"
/etc/pf.conf

Code:
## Interfaces ##

ExtIf = "pppoe0"
IntIf = "vr0"
VpnIf = "tun0"
PbxHost = "192.168.200.42"
MxHost = "192.168.200.41"
WebHost = "192.168.200.44"
PbxPeer = "[sip peer addr]"

### Queues, States and Types ###
 IcmpType ="icmp-type 8 code 0"
 IcmpMTUd ="icmp-type 3 code 4"
 SshQueue ="(ssh_bulk, ssh_login)"
#SynState ="flags S/SA synproxy state"
 TcpState ="flags S/SA modulate state"
 UdpState ="keep state"

### Ports ###
 FtpPort ="8021"
 SshPort ="8022"
 OpenVPNPort ="1194"
 RtpPorts = "16384:32768"

### Stateful Tracking Options (STO) ###
 FtpSTO   ="(tcp.established 7200)"
 ExtIfSTO ="(max 9000, source-track rule, max-src-conn   2000, max-src-nodes 14)"
 IntIfSTO ="(max 150,  source-track rule, max-src-conn   50,   max-src-nodes 14, max-src-conn-rate 75/20)"
 SmtpSTO  ="(max 200,  source-track rule, max-src-states 50,   max-src-nodes 50, max-src-conn-rate 30/10,   overload <BLOCKTEMP> flush global)"
 SshSTO   ="(max 5,    source-track rule, max-src-states 5,    max-src-nodes 5,  max-src-conn-rate  5/60)"
 WebSTO   ="(max 500,  source-track rule, max-src-states 50,   max-src-nodes 75, max-src-conn-rate 120/100, overload <BLOCKTEMP> flush global)"

### Tables ###
 table <SSHGUARD> counters persist
 table <BLOCKTEMP> counters
 table <BLOCKPERM> counters file "/etc/pf_block_permanent"

################ Options ######################################################
### Misc Options
 set skip on lo
 set skip on $VpnIf
 set debug urgent
 set reassemble yes
 set block-policy drop
 set loginterface $ExtIf
 set state-policy if-bound
 set fingerprints "/etc/pf.os"
 set ruleset-optimization none

### Timeout Options
 set optimization normal
 set timeout { tcp.established 600, tcp.closing 60 }

### Block to/from illegal sources/destinations
 block in     quick on $ExtIfs inet proto tcp from <SSHGUARD> to any port 22 label "ssh bruteforce"
 block in     quick on $ExtIfs inet proto tcp from <BLOCKTEMP> to any port != ssh
 block in     quick on $ExtIfs inet proto tcp from <BLOCKPERM> to any port != ssh
 block in     quick on $ExtIfs inet proto udp from <BLOCKTEMP> to any port != ssh
 block in     quick on $ExtIfs inet proto udp from <BLOCKPERM> to any port != ssh
 block in     quick inet proto udp from any to <BLOCKPERM> port != ssh

### BLOCK all in on external interface by default and log
 block log on $ExtIf

### Network Address Translation (NAT with outgoing source port randomization)
 match out log on $ExtIf proto tcp from $PbxHost port { 5060, 5080, 5090 } to any received-on $IntIf tag EGRESS nat-to ($ExtIf:0) static-port
 match out log on $ExtIf proto udp from $PbxHost port { 5060, 5080, 5090 } to any received-on $IntIf tag EGRESS nat-to ($ExtIf:0) static-port
 match out log on $ExtIf from !($ExtIf:network) to any nat-to ($ExtIf:0)

### Packet normalization ( "scrubbing" )
### remove "min-ttl 64" if you need native traceroute functions or just use "traceroute -I" instead
 match log on $ExtIf all scrub (random-id min-ttl 64 set-tos reliability reassemble tcp max-mss 1440)

### $ExtIf inbound

pass in log on $ExtIf inet proto tcp from !($ExtIf) to ($ExtIf) port { smtp, 2525 }  $TcpState $SmtpSTO rdr-to $MxHost
pass in log on $ExtIf inet proto tcp from !($ExtIf) to ($ExtIf) port { 993, 465 } $TcpState rdr-to $MxHost
pass in log on $ExtIf inet proto tcp from !($ExtIf) to ($ExtIf) port { https, http } $TcpState rdr-to $WebHost
pass in log on $ExtIf inet proto udp from !($ExtIf) port $RtpPorts $UdpState
pass in log on $ExtIf inet proto udp from !($ExtIf) port $OpenVPNPort $UdpState
pass in log on $ExtIf inet proto tcp from ($PbxPeer) to ($ExtIf) port { 5060, 5080, 5090 } $TcpState rdr-to $PbxHost
pass in log on $ExtIf inet proto udp from ($PbxPeer) to ($ExtIf) port { 5060, 5080, 5090 } $UdpState rdr-to $PbxHost


 pass in log on $ExtIf inet proto tcp  from !($ExtIf) to ($ExtIf) port ssh  $TcpState $SshSTO
 pass in log on $ExtIf inet proto icmp from !($ExtIf) to ($ExtIf) $IcmpType  $UdpState
 pass in log on $ExtIf inet proto icmp from !($ExtIf) to ($ExtIf) $IcmpMTUd  $UdpState

### $ExtIf outbound
 pass out log on $ExtIf inet proto tcp  from ($ExtIf) to !($ExtIf) $TcpState $ExtIfSTO tagged EGRESS
 pass out log on $ExtIf inet proto udp  from ($ExtIf) to !($ExtIf) $UdpState $ExtIfSTO tagged EGRESS
 pass out log on $ExtIf inet proto icmp from ($ExtIf) to !($ExtIf) $UdpState $ExtIfSTO tagged EGRESS
 pass out log on $ExtIf from ($ExtIf)

### $IntIf return (TCP reset) and log internal traffic
 block return log on $IntIf

### $IntIf inbound
 #pass in log on $IntIf inet proto tcp  from  $IntIf:network to !$IntIf port www    $TcpState $ExtIfSTO
 pass in log on $IntIf inet proto tcp  from  $IntIf:network to !$IntIf port ftp    $TcpState $IntIfSTO divert-to 127.0.0.1 port $FtpPort  ##obsd 5.1
 pass in log on $IntIf

### $IntIf ftp secure secure proxy for LAN
 anchor "ftp-proxy/*" in on $IntIf inet proto tcp

### $IntIf outbound
 pass out log on $IntIf

 pass in log on vr1
 pass out log on vr1
Reply With Quote