Configure PF

Configure PF Firewall

## MACROS-----
ext_if="bge0"
set loginterface $ext_if
internet_ports = "{80, 443}"

# Table Setup
# /etc/iface_addresses contains the following
# a.b.c.d
# a.b.c.e
table <iface_addresses> persist file "/etc/iface_addresses"
table <bruteforce> persist

# set Block Policy option
set block-policy return

# set Skip Filtering option on localhost
set skip on lo0

scrub in all
antispoof quick for $ext_if inet

# block ip addresses contained in bruteforce table
block in log (all, to pflog0) quick on $ext_if from <bruteforce> to any

# block and then log outgoing packets that don't have our address as source
block out log (all, to pflog0) quick on $ext_if from ! <iface_addresses> to any

# block nmap scans
block in log (all, to pflog0) quick on $ext_if inet proto { tcp, udp } from any to any flags FUP/FUP

# block everything by default
block in on $ext_if all

# pass in icmp and keep state
pass in quick on $ext_if inet proto icmp all keep state

# pass in traffic from localhost
pass in quick on $ext_if proto tcp from 127.0.0.1 to <iface_addresses>

# pass in traffic on internet ports
pass in on $ext_if proto { tcp, udp } from any to <iface_addresses> port $internet_ports flags S/SA keep state

# pass in throttle ssh connection attempts and block their ip if a bruteforce attempt is detected
pass in quick on $ext_if proto tcp from any to any port ssh \
     flags S/SA keep state \
     (max-src-conn 15, max-src-conn-rate 5/3, \
      overload <bruteforce> flush global)

# allow planet admin ip addresses
pass in on $ext_if proto { tcp, udp } from $planet_admin to $ext_if

# keep state on outbound connections made from one of the ip addresses on interface
# prevent sequence number attacks
pass out on $ext_if proto { tcp, udp } all modulate state

# keep state on remaining outbound connections
pass out on $ext_if all keep state