pantz.org banner
Pf example config file
Posted on 11-03-2005 02:13:00 UTC | Updated on 06-09-2008 17:15:02 UTC
Section: /software/pf/ | Permanent Link

The following file is an example of my OpenBSD's pf configuration file. If you don't know pf is the firewall (packet filter) created by the OpenBSD team. The file is commented pretty well so I'm going to let it speak for itself. Incoming services redirected or local are ssh, http, https, smtp, and pop3s. All are filtered by ip except for http and smtp. Local services are redirected to localhost on which they are listening. This is in case pf gets disabled somehow. If it did the services would not be left unfiltered. They just can't be contacted.

I use HFSC for prioritizing my traffic. Tcp ack's get the highest priority so we don't saturate our download bandwidth. Ssh interactive gets the next priority so there is no lag on typing. Then http and smtp are next in that priority order. Next any other traffic that is not specified goes into the next queue which is the default queue. Next to last is music streaming and then bittorrent is dead last. Bittorrent gets any bandwidth that is leftover from all other queues since they share any unused bandwidth. Higher pritoriy queues pull bandwidth from lower queues.

# Required order: options, normalization, queueing, translation, filtering.
# Note that translation rules are first match while filter rules are last match.
# See pf.conf5) for syntax and examples

################ Macros ###################################
# use a macro for the interface name, so it can be changed easily
ext_if = "fxp0"
int_if = "fxp1"

### Stateful Tracking Options ###
TorSTO = "(max 375, source-track rule, max-src-conn 1, max-src-nodes 375, tcp.established 60)"

################ Tables ####################################
table <trustedhostsstatic> const {1.1.1.1,trusted.host.domain}
table <blackliststatic> const {5.5.5.5}
table <trustedhostsdynamic> persist

################ Options ##################################
# Timeout Options
set optimization aggressive
set loginterface $ext_if
set block-policy drop
set require-order yes

################ Normaliztation ############################
# normalize all incoming traffic. Set ttl to 254 to limit possible mapping of hosts behind firewall.
# Also set random-id to help with the same. Set mss to ATM network frame size for easy splitting upstream. 
scrub on $ext_if all random-id min-ttl 254 max-mss 1452 reassemble tcp fragment reassemble

################ Queueing ##################################
# Use a queuing to prioritize empty (no payload) TCP ACKs,
# This dramatically improves throughput on (asymmetric) links when the
# reverse direction is saturated. The empty ACKs use an insignificant
# part of the bandwidth, but if they get delayed, downloads suffer
# badly, so prioritize them.

# Example: 512/128 kbps ADSL. Download is 50 kB/s. When a concurrent
# upload saturates the uplink, download drops to 7 kB/s. With the
# priority queue below, download drops only to 48 kB/s.

# For a 512/128 kbps ADSL with PPPoE link, using "bandwidth 100Kb"
# is optimal. Some experimentation might be needed to find the best
# value. If it's set too high, the priority queue is not effective, and
# if it's set too low, the available bandwidth is not fully used.
# A good starting point would be real_uplink_bandwidth * .90
# My ISP's says bandwidth upload is 1000kbps. In reality
# its ~984kbps (123Kbps). Tested this by uploading multiple files
# to servers to try and saturate upload bandwidth.
# Note: For 768kbps up 744kbps looks like it works well for me.
# Note: For 384kbps up 368kbps looks like it works well for me.

altq on $ext_if bandwidth 984Kb hfsc queue { q_pri, q_def, q_mus, q_tor }
 queue q_pri bandwidth 49%           priority 7 hfsc
 queue q_def bandwidth 49%           priority 5 hfsc (linkshare 49%) {q_smtp,q_http,ssh_login,q_def1}
   queue ssh_login bandwidth 96%       priority 5 hfsc
   queue q_http    bandwidth 1%        priority 4 hfsc
   queue q_smtp    bandwidth 1%        priority 4 hfsc
   queue q_def1    bandwidth 1%        priority 3 hfsc (default)
 queue q_mus bandwidth  1% qlimit 200  priority 4 hfsc
 queue q_tor bandwidth  1% qlimit 25   priority 3 hfsc (upperlimit 272Kb)

################ Translation ###############################
# Translation rules are first match

# NAT internal hosts
nat on $ext_if from !($ext_if) to any -> ($ext_if:0)

# Redirect Bit Torrent traffic to internal machine
rdr on $ext_if proto tcp from any to any port 7381 -> 192.168.0.41
# Redirect for MythTV webserver
rdr on $ext_if proto tcp from any to any port 443 -> 192.168.0.30
# Redirect for mp3 streaming music (edna)
rdr on $ext_if proto tcp from any to any port 993 -> 192.168.0.40

# Postfix Mail Server (internal and external)
rdr on $int_if proto tcp from any to $int_if port smtp -> lo0 port smtp
rdr on $ext_if proto tcp from any to ($ext_if) port smtp -> lo0 port smtp

# Dovecot pop3s/imap Server (internal interface) redirect for internal hosts.
rdr on $int_if proto tcp from any to  $int_if  port pop3s -> lo0 port pop3s

# DENY rouge redirections
no rdr

################ Filtering #################################
# loopback
antispoof log quick for lo0 inet
pass quick on lo0 all

# block inet6
block in quick inet6

#blacklisted ips
block in quick on $ext_if from <blackliststatic> to any flags S/SA

# silently drop broadcasts cable modem noise
block in quick on $ext_if from any to 255.255.255.255

# block and log everything by default
block log on $ext_if all

# block anything coming from source we have no back routes for
block in from no-route to any

# Block and log outgoing packets that don't have our address as source,
# they are either spoofed or something is misconfigured NAT disabled,
# (for instance), we want to be nice and don't send out garbage.
block out log quick on $ext_if from ! $ext_if to any

# pass VPN traffic. Turn on if needed.
# pass in quick proto gre all
# pass out quick proto gre all

# TCP
# pass out all TCP connections and modulate state
pass out on $ext_if proto tcp from ($ext_if) to any flags S/SA modulate state queue (q_def1,q_pri)
# Tag all packets on the internal interface from the bittorrent machine's ip (alias)
pass in on $int_if from 192.168.0.41 to any tag TORRENT modulate state
# Put all packets tagged TORRENT in the torrent queue.
pass out on $ext_if proto tcp from ($ext_if) to any port > 1024 flags S/SA tagged TORRENT modulate state queue (q_tor)
pass out on $ext_if proto udp from ($ext_if) to any port > 1024 tagged TORRENT keep state queue (q_tor)

# UDP
# pass out all UDP connections and keep state
pass out on $ext_if proto udp from ($ext_if) to any keep state queue (q_def1)

# pass out all ICMP connections and keep state
pass out on $ext_if inet proto icmp from ($ext_if) to any keep state

# Allow only specific block of trusted ip's to ssh to the firewall.
pass in quick on $ext_if inet proto tcp from { <trustedhostsstatic>,<trustedhostsdynamic> } to ($ext_if) port 22 flags S/SA keep state queue (q_def1,ssh_login)

# Allow Bit Torrent traffic to internal machine ip (alias)
pass in on $ext_if proto tcp from any to 192.168.0.41 port 7381 flags S/SA synproxy state $TorSTO queue q_tor
pass in on $ext_if proto udp from any to 192.168.0.41 port 7381 keep state $TorSTO queue q_tor

# Allow MythTV to inside
pass in quick on $ext_if inet proto tcp from <trustedhostsstatic> to 192.168.0.30 port 443 flags S/SA keep state queue (q_def1,q_pri)

# Allow mp3 streaming music (edna)
pass in quick on $ext_if inet proto tcp from <trustedhostsstatic> to 192.168.0.40 port 993 flags S/SA keep state queue (q_mus,q_pri)

# Allow traffic for postfix mail server
pass in log on $ext_if inet proto tcp from any to lo0 port smtp flags S/SA synproxy state $SpamdSTO queue (q_smtp,q_pri)
pass in     on $int_if inet proto tcp from 192.168.0.0/24 to lo0 port smtp synproxy state flags S/SA

# Allow traffic for external http server pantz.org
pass in quick on $ext_if inet proto tcp from any to ($ext_if) port 80 flags S/SA keep state queue (q_http,q_pri)

# Allow traffic to Dovecot pop3 server from any network on the inside. Change to external if needed.
pass in on $int_if inet proto tcp from any to lo0 port pop3s flags S/SA keep state

Reddit!

Related stories


RSS Feed RSS feed logo

About


3com

3ware

alsa

alsactl

alsamixer

amd

android

apache

areca

arm

ati

auditd

awk

badblocks

bash

bind

bios

bonnie

cable

carp

cat5

cdrom

cellphone

centos

chart

chrome

chromebook

cifs

cisco

cloudera

comcast

commands

comodo

compiz-fusion

corsair

cpufreq

cpufrequtils

cpuspeed

cron

crontab

crossover

cu

cups

cvs

database

dbus

dd

dd_rescue

ddclient

debian

decimal

dhclient

dhcp

diagnostic

diskexplorer

disks

dkim

dns

dos

dovecot

drac

dsniff

dvdauthor

e-mail

echo

editor

emerald

ethernet

expect

ext3

ext4

fat32

fedora

fetchmail

fiber

filesystems

firefox

firewall

flac

flexlm

floppy

flowtools

fonts

format

freebsd

ftp

gdm

gmail

gnome

google

greasemonkey

greylisting

growisofs

grub

hacking

hadoop

harddrive

hba

hex

hfsc

html

html5

http

https

hulu

idl

ie

ilo

intel

ios

iperf

ipmi

iptables

ipv6

irix

javascript

kde

kernel

kickstart

kmail

kprinter

krecord

kubuntu

kvm

lame

ldap

linux

logfile

lp

lpq

lpr

maradns

matlab

memory

mencoder

mhdd

mkinitrd

mkisofs

moinmoin

motherboard

mouse

movemail

mplayer

multitail

mutt

myodbc

mysql

mythtv

nagios

nameserver

netflix

netflow

nginx

nic

ntfs

ntp

nvidia

odbc

openbsd

openntpd

openoffice

openssh

openssl

openvpn

opteron

parted

partimage

patch

perl

pf

pfflowd

pfsync

photorec

php

pop3

pop3s

ports

postfix

power

procmail

proftpd

proxy

pulseaudio

putty

pxe

python

qemu

r-studio

raid

recovery

redhat

router

rpc

rsync

ruby

saltstack

samba

schedule

screen

scsi

seagate

seatools

sed

sendmail

sgi

shell

siw

smtp

snort

solaris

soundcard

sox

spam

spamd

spf

spotify

sql

sqlite

squid

srs

ssh

ssh.com

ssl

su

subnet

subversion

sudo

sun

supermicro

switches

symbols

syslinux

syslog

systemrescuecd

t1

tcpip

tcpwrappers

telnet

terminal

testdisk

tftp

thttpd

thunderbird

timezone

ting

tls

tools

tr

trac

tuning

tunnel

ubuntu

unbound

vi

vpn

wget

wiki

windows

windowsxp

wireless

wpa_supplicant

x

xauth

xfree86

xfs

xinearama

xmms

youtube

zdump

zeromq

zic

zlib