You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
54 lines
1.5 KiB
54 lines
1.5 KiB
# Options
|
|
set skip on lo
|
|
|
|
# Macros and Tables
|
|
table <abusive_hosts> persist
|
|
{% if firewall_whitelist_enable %}
|
|
table <whitelist> persist file "/etc/pf.whitelist"
|
|
{% endif %}
|
|
table <pfbadhost> persist file "/etc/pf-badhost.txt"
|
|
{% if firewall_tcp_services|length > 1 %}
|
|
tcp_in = "{ {% for port in firewall_tcp_services %} {{ port }} {% endfor %} }"
|
|
{% endif %}
|
|
|
|
{% if firewall_udp_services|length > 1 %}
|
|
udp_in = "{ {% for port in firewall_udp_services %} {{ port }} {% endfor %} }"
|
|
{% endif %}
|
|
|
|
{% if firewall_whitelist_enable %}
|
|
pass in quick from <whitelist>
|
|
{% endif %}
|
|
block in quick on egress from <pfbadhost>
|
|
block out quick on egress to <pfbadhost>
|
|
|
|
# Quick rules
|
|
pass in quick proto tcp to port ssh flags S/SA keep state \
|
|
(max-src-conn {{ firewall_max_ssh_src_conn }}, \
|
|
max-src-conn-rate {{ firewall_max_ssh_src_conn_rate }}, \
|
|
overload <abusive_hosts> flush)
|
|
|
|
pass in quick inet proto icmp icmp-type echoreq
|
|
|
|
# Ruleset
|
|
block log
|
|
pass out on egress
|
|
block in quick log from <abusive_hosts>
|
|
|
|
{% if firewall_tcp_services|length > 1 %}
|
|
pass in proto tcp to port $tcp_in flags S/SA keep state \
|
|
(max-src-conn {{ firewall_max_tcp_src_conn }}, \
|
|
max-src-conn-rate {{ firewall_max_tcp_src_conn_rate }}, \
|
|
overload <abusive_hosts> flush)
|
|
{% endif %}
|
|
|
|
{% if firewall_udp_services|length > 1 %}
|
|
pass in proto udp to port $udp_in
|
|
{% endif %}
|
|
|
|
# Ansible Ruleset
|
|
anchor ansible
|
|
load anchor ansible from "/etc/anchors/ansible"
|
|
|
|
# Custom Rules
|
|
anchor custom
|
|
load anchor custom from "/etc/anchors/custom"
|
|
|