-
Notifications
You must be signed in to change notification settings - Fork 0
/
pf.conf
45 lines (35 loc) · 1.6 KB
/
pf.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
# $OpenBSD: pf.conf,v 1.55 2017/12/03 20:40:04 sthen Exp $
#
# See pf.conf(5) and /etc/examples/pf.conf
mylan = "em1"
### Macros ###
icmp6_types="{ 1,2,128, timex,paramprob }" # 1 unreach,2 packet too big,128 echo request
icmp6_types_ext="{ 1, 2, 128, 133, 134, 135, 136, 137 }" # 133 route sol, 134 route adv, 135 ndp sol, 136 ndp adv, 137 redirect
udp6_ext_in="{ 546 }" # 546 dhcpv6-client
table <martians> { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/26 \
172.16.0/12 192.0.0.0/24 192.0.2.0/24 224.0.0.0/3 \
192.168.0.0/16 198.18.0.0/15 198.51.100.0/24 \
203.0.113.0/24 }
set block-policy drop
set loginterface egress
set skip on lo0
match in all scrub (no-df random-id max-mss 1440)
match out on egress inet from !(egress:network) to any nat-to (egress:0)
antispoof quick for { egress $mylan }
block in quick on egress from <martians> to any
block return out quick on egress from any to <martians>
block all
pass quick on egress inet6 proto ipv6-icmp icmp6-type $icmp6_types
pass in quick on egress inet6 proto ipv6-icmp from any to any icmp6-type $icmp6_types_ext
pass in quick on egress inet6 proto udp from any to any port $udp6_ext_in
pass proto ipv6-icmp from any to any
pass out quick inet
pass out quick inet6
pass in on { $mylan } inet
pass in on { $mylan } inet6
#block return # block stateless traffic
#pass # establish keep-state
# By default, do not permit remote connections to X11
#block return in on ! lo0 proto tcp to port 6000:6010
# Port build user does not need network
#block return out log proto {tcp udp} user _pbuil