| 1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253 |
- ext_if="vtnet0"
- extnet=$ext_if:network
- tcp_services="{ www, https }"
- icmp_types="echoreq"
- jail_net="192.168.0.1/24"
- jail_git="192.168.0.25/24"
- jail_git6="fd00::25/24"
- jail_net6="fd00::/8"
- table <martians> const { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
- 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
- 0.0.0.0/8, 240.0.0.0/4 }
- table <copains> const { }
- set loginterface $ext_if
- set skip on lo0
- set skip on lo1
- set block-policy drop
- scrub in on $ext_if all fragment reassemble
- scrub on $ext_if all reassemble tcp
- nat on $ext_if inet from $jail_net to any -> $ext_if:0
- nat on $ext_if inet6 from $jail_net6 to any -> $ext_if:0
- rdr pass on $ext_if proto tcp from any to ($ext_if) port 9022 -> jail_git port 22
- rdr pass on $ext_if proto tcp from any to ($ext_if) port 9418 -> jail_git port 9418
- block in all
- pass out all
- block drop quick from <sshforce>
- block drop in quick on $ext_if from <martians> to any
- block drop out quick on $ext_if from any to <martians>
- antispoof quick for { lo0 lo1 $ext_if }
- pass quick from <copains> to any
- anchor "blacklistd/*" in on $ext_if
- pass log proto tcp from any to $extnet port 79
- pass proto tcp from any to $extnet port $tcp_services \
- flags S/SA keep state
- # Restrictive Brute force SSH
- pass quick proto tcp from any to $extnet port ssh \
- flags S/SA keep state \
- (max-src-conn 15, max-src-conn-rate 5/3, \
- overload <sshforce> flush global)
- pass in inet proto icmp all icmp-type $icmp_types
- pass in inet6 proto icmp6 all
|
