# JWRD Computing sample PF configuration # J. Welsh, May 2016 - Feb 2024 external_if = "cnmac0" trusted_if = "cnmac1" untrusted_if = "cnmac2" table const { 10.89.0.0/23 } table const { 10.89.0.0/24 } table const { 10.89.1.0/24 } btc_host = "10.89.0.2" paste_port = 4 monitor_port = 6 # JWRD's passive monitoring system sendrawtx_port = 8 # JWRD's BTC raw transaction submission service (planned) irc_port = 6667 btc_port = 8333 altssh_port = 60124 gcm_ports = 5228:5230 # Google Cloud Messaging whatsapp_port = 3478 telegram_ports = 1400 4000:5000 # voice/video calls (NB: a very broad hole, and based largely on internet gossip) tcp_out = "{" $paste_port $sendrawtx_port ssh whois submission http https rsync git svn $irc_port $btc_port $altssh_port "}" udp_out = "{" domain ntp "}" # additional openings for untrusted net tcp_out_untrusted = "{" $gcm_ports "}" udp_out_untrusted = "{" $whatsapp_port $telegram_ports "}" # Attack preparedness #table persist counters file "/root/blackhole.txt" block in quick on $external_if from # Don't filter localhost set skip on lo # Default deny block log # Blocked connections from inside get friendly rejection packets block return in log from # Likewise ident from outside (Freenode waits for timeout probing it) block return proto tcp to port ident # Anti-spoofing block in quick log on $external_if from block in quick log on $trusted_if from ! block in quick log on $untrusted_if from ! # Proxying required for outbound FTP. Temporary rules added here for data connections (it seems the anchor must come *before* the main NAT rule!): anchor "ftp-proxy/*" # Divert incoming control connections into proxy... pass in quick on $trusted_if inet proto tcp to port ftp divert-to 127.0.0.1 port 8021 # and allow outbound control connections from proxy. pass out inet proto tcp from ($external_if) to port ftp # Enable NAT match out on $external_if inet from nat-to ($external_if) # Allow traffic to designated services from internal networks pass in inet proto tcp from to port $tcp_out pass out on $external_if inet proto tcp to port $tcp_out pass in inet proto tcp from to port $tcp_out_untrusted pass out on $external_if inet proto tcp to port $tcp_out_untrusted pass in inet proto udp from to port $udp_out pass out on $external_if inet proto udp to port $udp_out pass in inet proto udp from to port $udp_out_untrusted pass out on $external_if inet proto udp to port $udp_out_untrusted pass in inet proto icmp from icmp-type echoreq pass out on $external_if inet proto icmp icmp-type echoreq # Router can send ICMP anywhere pass out inet proto icmp from self # Router's DHCP client to upstream (with dynamic address & network) pass in inet proto udp from ($external_if:network) port bootps to ($external_if) port bootpc pass out inet proto udp from ($external_if) port bootpc to port bootps # Router's DHCP server (our address & network are static here) pass in inet proto udp from $untrusted_if:network port bootpc to $untrusted_if port bootps pass out inet proto udp from $untrusted_if port bootps to port bootpc # Port forwarding #pass in on $external_if inet proto tcp to port $btc_port rdr-to $btc_host #pass out inet proto tcp to $btc_host port $btc_port