Changeset View
Changeset View
Standalone View
Standalone View
swh/web/tests/resources/contents/code/filenames/pf.conf
- This file was added.
# Source and tutorial - https://www.cyberciti.biz/faq/how-to-set-up-a-firewall-with-pf-on-freebsd-to-protect-a-web-server/ | |||||
# /usr/local/etc/pf.conf | |||||
# | |||||
## Set your public interface ## | |||||
ext_if="vtnet0" | |||||
## Set your server public IP address ## | |||||
ext_if_ip="172.xxx.yyy.zzz" | |||||
## Set and drop these IP ranges on public interface ## | |||||
martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \ | |||||
10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \ | |||||
0.0.0.0/8, 240.0.0.0/4 }" | |||||
## Set http(80)/https (443) port here ## | |||||
webports = "{http, https}" | |||||
## enable these services ## | |||||
int_tcp_services = "{domain, ntp, smtp, www, https, ftp, ssh}" | |||||
int_udp_services = "{domain, ntp}" | |||||
## Skip loop back interface - Skip all PF processing on interface ## | |||||
set skip on lo | |||||
## Sets the interface for which PF should gather statistics such as bytes in/out and packets passed/blocked ## | |||||
set loginterface $ext_if | |||||
## Set default policy ## | |||||
block return in log all | |||||
block out all | |||||
# Deal with attacks based on incorrect handling of packet fragments | |||||
scrub in all | |||||
# Drop all Non-Routable Addresses | |||||
block drop in quick on $ext_if from $martians to any | |||||
block drop out quick on $ext_if from any to $martians | |||||
## Blocking spoofed packets | |||||
antispoof quick for $ext_if | |||||
# Open SSH port which is listening on port 22 from VPN 139.xx.yy.zz Ip only | |||||
# I do not allow or accept ssh traffic from ALL for security reasons | |||||
pass in quick on $ext_if inet proto tcp from 139.xxx.yyy.zzz to $ext_if_ip port = ssh flags S/SA keep state label "USER_RULE: Allow SSH from 139.xxx.yyy.zzz" | |||||
## Use the following rule to enable ssh for ALL users from any IP address # | |||||
## pass in inet proto tcp to $ext_if port ssh | |||||
### [ OR ] ### | |||||
## pass in inet proto tcp to $ext_if port 22 | |||||
# Allow Ping-Pong stuff. Be a good sysadmin | |||||
pass inet proto icmp icmp-type echoreq | |||||
# All access to our Nginx/Apache/Lighttpd Webserver ports | |||||
pass proto tcp from any to $ext_if port $webports | |||||
# Allow essential outgoing traffic | |||||
pass out quick on $ext_if proto tcp to any port $int_tcp_services | |||||
pass out quick on $ext_if proto udp to any port $int_udp_services | |||||
# Add custom rules below | |||||
# vim: set ft=pf |