set limit {states 10000, frags 2000}
set loginterface $ext_if
set optimization normal
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
set timeout { adaptive.start 0, adaptive.end 0 }
set block-policy drop
set fingerprints "/etc/pf.os"
scrub in all
block in log all
block out log all
block quick on $ext_if os NMAP
block in on $ext_if os unknown
block return in on $ext_if inet proto icmp from any to any icmp-type unreach code net-unr
block in log quick proto tcp flags FUP/WEUAPRSF
block in log quick proto tcp flags WEUAPRSF/WEUAPRSF
block in log quick proto tcp flags SRAFU/WEUAPRSF
block in log quick proto tcp flags /WEUAPRSF
block in log quick proto tcp flags SR/SR
block in log quick proto tcp flags SF/SF
block in log quick proto tcp from <denyIP> to any
block in quick on $ext_if from any to 255.255.255.255
#antispoof quick for { lo0, $ext_if }
pass in quick on lo0 all keep state
pass out quick on lo0 all keep state
pass out quick on $ext_if keep state
pass out on $ext_if inet proto icmp all icmp-type 8 code 0 keep state
pass in on $ext_if inet proto icmp all icmp-type 8 code 0 keep state
pass in quick on $ext_if proto tcp from any to $ext_if port { domain, 2222 } flags S/SAFR keep state
pass in quick on $ext_if proto udp from any to $ext_if port { domain }
pass in quick on $ext_if proto tcp from 211.xxx.66.xx/32 to $ext_if port { mysql } flags S/SAFR keep state
Posted by 노는총각
