#	$FreeBSD: src/etc/pf.conf,v 1.2.2.1 2006/04/04 20:31:20 mlaier Exp $

# options
# 10k is insanely low, lets raise it..
set limit { frags 32786, states 65536 }
# udp timeouts are a bit high. udp is throw-away
set timeout { udp.first 15, udp.single 5, udp.multiple 30 }
# skip lo0 checks 
set skip on lo0

## Macros: define common values, so they can be referenced and changed easily.

main_if="lagg0"
local_if="lo0"
nstun_if="tun0"
stf_if="stf0"

main_ipv4="85.234.142.64"
jail_ipv4_web="85.234.142.63"
jail_ipv4_mail="85.234.142.62"
jail_ipv4_syndicate="85.234.142.55"
jail_ipv4_havnor="85.234.142.56"
jail_ipv4_thirdforces="85.234.142.59"

main_ipv6="2002:55ea:8e40::1"
jail_ipv6_web="2002:55ea:8e40::63"
jail_ipv6_mail="2002:55ea:8e40::62"
jail_ipv6_syndicate="2002:55ea:8e40::55"
jail_ipv6_havnor="2002:55ea:8e40::56"
jail_ipv6_thirdforces="2002:55ea:8e40::59"

nstun_net="192.168.137.0/27"
nstun_ipv4_thirdforces="192.168.137.1"
nstun_ipv4_syndicate="192.168.137.254"
nstun_ipv4_potjie="192.168.137.253"

## Normalization: reassemble fragments and resolve or reduce traffic ambiguities.
scrub in all

# Anti-hax0r stuff - this will piss off nmappers 
#rdr pass on { $main_if, $stf_if } proto tcp from any os NMAP to any port 1:65535 -> $local_if port 22

## Translation

# NAT out NSTUN - might prove insecure
nat on $nstun_if from $nstun_net to any -> ($main_if)
# Pesent some ports to the nstun tunnels for access
rdr on $nstun_if proto tcp from $nstun_net to $nstun_ipv4_thirdforces port 22 -> $jail_ipv4_thirdforces
rdr on $nstun_if proto tcp from $nstun_net to $nstun_ipv4_syndicate port 22 -> $jail_ipv4_syndicate
rdr on $nstun_if proto tcp from $nstun_net to $nstun_ipv4_potjie port 22 -> $main_ipv4

## Filtering: the implicit first two rules are
block in log all
block out log all

# pass traffic on the loopback interface in either direction
pass in quick on $local_if all
pass out quick on $local_if all

# nstun connections inbound
pass in quick on $nstun_if all
pass out quick on $nstun_if all

# drop unlikely packets
antispoof for $main_if

# pass tcp, udp, and icmp out on the external (Internet) interface. 
# keep state on udp and icmp and modulate state on tcp.
pass out quick on { $main_if, $stf_if } proto { tcp, ipv6 } all flags S/SA modulate state 
pass out quick on { $main_if, $stf_if } proto { udp, icmp, icmp6 } all keep state

# Regular ssh users ips - populated regularly
table <trustedclients> persist file "/var/db/pf/tables/trustedclients"

# Bruteforcers populated dynamicaly
table <bruteforcedefault> persist file "/var/db/pf/tables/bruteforcedefault"
table <bruteforcetight> persist file "/var/db/pf/tables/bruteforcetight"
table <bruteforcetightest> persist file "/var/db/pf/tables/bruteforcetightest"

# Attempt at blocking the bad boys
block quick from <bruteforcedefault> 
block quick from <bruteforcetight>
block quick from <bruteforcetightest>

# states for allowed ports - max-src-conn-rate = connects/period

# default - web traffic, the 'norm' 
tcpflags="flags S/SA keep state (max-src-conn 254, max-src-conn-rate 3548/3600, overload <bruteforcedefault> flush global)"

# tight - smtp etc
tcptightflags="flags S/SA keep state (max-src-conn 22, max-src-conn-rate 697/3600, overload <bruteforcetight> flush global)"

# tightest - ssh etc
tcptightestflags="flags S/SA keep state (max-src-conn 9, max-src-conn-rate 55/3600, overload <bruteforcetightest> flush global)"

# insanely spammy protocols are often udp
otherflags="keep state (max-src-conn 2048, max-src-conn-rate 512/2, overload <bruteforcedefault> flush global)"

# flags for people we trust 
trustedtcpflags="flags S/SA keep state"

# good people for all - gotkey? gotmail ? tm
pass in quick on { $main_if, $stf_if } proto tcp from <trustedclients> to any port 22 $trustedtcpflags
pass in quick on { $main_if, $stf_if } proto tcp from <trustedclients> to any port 80 $trustedtcpflags
pass in quick on { $main_if, $stf_if } proto tcp from <trustedclients> to any port 443 $trustedtcpflags
pass in quick on { $main_if, $stf_if } proto tcp from <trustedclients> to any port 8022 $trustedtcpflags
pass in quick on { $main_if, $stf_if } proto tcp from <trustedclients> to any port 60022 $trustedtcpflags

# pingers are allowed
pass in quick on { $main_if, $stf_if } inet proto icmp all icmp-type echoreq $otherflags 
pass in quick on { $main_if, $stf_if } inet6 proto icmp6 all icmp6-type echoreq $otherflags

# allow incoming services to the main address
pass in quick on { $main_if, $stf_if } proto tcp from any to { $main_ipv4, $main_ipv6 } port 22 $tcptightestflags
pass in quick on { $main_if, $stf_if } proto tcp from any to { $main_ipv4, $main_ipv6 } port 80 $tcpflags 
pass in quick on { $main_if, $stf_if } proto tcp from any to { $main_ipv4, $main_ipv6 } port 443 $tcpflags 

# public ntp
pass in quick on { $main_if, $stf_if } proto udp from any to { $main_ipv4, $main_ipv6 } port 123 $otherflags

# jail firewalling..

## host: syndicate
# ssh
pass in quick on { $main_if, $stf_if } proto tcp from any to { $jail_ipv4_syndicate, $jail_ipv6_syndicate } port 22 $tcptightestflags
pass in quick on { $main_if, $stf_if } proto tcp from any to { $jail_ipv4_syndicate, $jail_ipv6_syndicate } port 443 $tcptightflags
# used for ssh over dns.. 
pass in quick on { $main_if, $stf_if } proto udp from any to { $jail_ipv4_syndicate, $jail_ipv6_syndicate } port 53 $otherflags
# icecast
pass in quick on { $main_if, $stf_if } proto udp from any to { $jail_ipv4_syndicate, $jail_ipv6_syndicate } port 8767 $otherflags
pass in quick on { $main_if, $stf_if } proto tcp from any to { $jail_ipv4_syndicate, $jail_ipv6_syndicate } port 8765 $tcpflags
pass in quick on { $main_if, $stf_if } proto udp from any to { $jail_ipv4_syndicate, $jail_ipv6_syndicate } port 8765 $otherflags

## host: web 
pass in quick on { $main_if, $stf_if } proto tcp from any to { $jail_ipv4_web, $jail_ipv6_web } port 80 $tcpflags
pass in quick on { $main_if, $stf_if } proto tcp from any to { $jail_ipv4_web, $jail_ipv6_web } port 443 $tcpflags


## host: mail 
# smtp, retreival and https (for webmail) 
pass in quick on { $main_if, $stf_if } proto tcp from any to { $jail_ipv4_mail, $jail_ipv6_mail } port 25 $tcptightflags
pass in quick on { $main_if, $stf_if } proto tcp from any to { $jail_ipv4_mail, $jail_ipv6_mail } port 80 $tcpflags
pass in quick on { $main_if, $stf_if } proto tcp from any to { $jail_ipv4_mail, $jail_ipv6_mail } port 465 $tcpflags
pass in quick on { $main_if, $stf_if } proto tcp from any to { $jail_ipv4_mail, $jail_ipv6_mail } port 587 $tcptightflags
# alternative smtp port
pass in quick on { $main_if, $stf_if } proto tcp from any to { $jail_ipv4_mail, $jail_ipv6_mail } port 925 $tcpflags
pass in quick on { $main_if, $stf_if } proto tcp from any to { $jail_ipv4_mail, $jail_ipv6_mail } port 443 $tcpflags
pass in quick on { $main_if, $stf_if } proto tcp from any to { $jail_ipv4_mail, $jail_ipv6_mail } port 993 $tcpflags
pass in quick on { $main_if, $stf_if } proto tcp from any to { $jail_ipv4_mail, $jail_ipv6_mail } port 995 $tcpflags

## host: havnor
pass in quick on { $main_if, $stf_if } proto tcp from any to { $jail_ipv4_havnor, $jail_ipv6_havnor } port 22 $tcptightestflags
pass in quick on { $main_if, $stf_if } proto tcp from any to { $jail_ipv4_havnor, $jail_ipv6_havnor } port 25 $tcptightflags
pass in quick on { $main_if, $stf_if } proto udp from any to { $jail_ipv4_havnor, $jail_ipv6_havnor } port 53 $otherflags
pass in quick on { $main_if, $stf_if } proto tcp from any to { $jail_ipv4_havnor, $jail_ipv6_havnor } port 80 $tcpflags
pass in quick on { $main_if, $stf_if } proto tcp from any to { $jail_ipv4_havnor, $jail_ipv6_havnor } port 443 $tcptightestflags 
pass in quick on { $main_if, $stf_if } proto tcp from any to { $jail_ipv4_havnor, $jail_ipv6_havnor } port 2044 $tcptightestflags
# mercurial db
pass in quick on { $main_if, $stf_if } proto tcp from any to { $jail_ipv4_havnor, $jail_ipv6_havnor } port 3334 $tcpflags
pass in quick on { $main_if, $stf_if } proto tcp from any to { $jail_ipv4_havnor, $jail_ipv6_havnor } port 5060 $tcpflags
pass in quick on { $main_if, $stf_if } proto udp from any to { $jail_ipv4_havnor, $jail_ipv6_havnor } port 5060 $otherflags
# svn
pass in quick on { $main_if, $stf_if } proto tcp from any to { $jail_ipv4_havnor, $jail_ipv6_havnor } port 3333 $tcpflags

## host: thirdforces
pass in quick on { $main_if, $stf_if } proto tcp from any to { $jail_ipv4_thirdforces, $jail_ipv6_thirdforces } port 22 $tcptightestflags
pass in quick on { $main_if, $stf_if } proto tcp from any to { $jail_ipv4_thirdforces, $jail_ipv6_thirdforces } port 8022 $tcptightestflags
pass in quick on { $main_if, $stf_if } proto tcp from any to { $jail_ipv4_thirdforces, $jail_ipv6_thirdforces } port 60022 $tcptightestflags
pass in quick on { $main_if, $stf_if } proto tcp from any to { $jail_ipv4_thirdforces, $jail_ipv6_thirdforces } port 443 $tcptightestflags
pass in quick on { $main_if, $stf_if } proto tcp from any to { $jail_ipv4_thirdforces, $jail_ipv6_thirdforces } port 80 $tcpflags
# dns for tunneling
pass in quick on { $main_if, $stf_if } proto udp from any to { $jail_ipv4_thirdforces, $jail_ipv6_thirdforces } port 53 $otherflags
# teamspeak server
pass in quick on { $main_if, $stf_if } proto udp from any to { $jail_ipv4_thirdforces, $jail_ipv6_thirdforces } port 8767 $otherflags
# teamspeak admin server
pass in quick on { $main_if, $stf_if } proto tcp from any to { $jail_ipv4_thirdforces, $jail_ipv6_thirdforces } port 14534 $tcpflags
pass in quick on { $main_if, $stf_if } proto tcp from any to { $jail_ipv4_thirdforces, $jail_ipv6_thirdforces } port 51234 $tcpflags
pass in quick on { $main_if, $stf_if } proto udp from any to { $jail_ipv4_thirdforces, $jail_ipv6_thirdforces } port 8765 $otherflags