2018-12-28 11:23:49 +01:00
|
|
|
# MANAGED BY ANSIBLE, MODIFICATIONS WILL BE LOST
|
|
|
|
|
|
|
|
######################
|
|
|
|
##### INTERFACES #####
|
|
|
|
######################
|
|
|
|
|
|
|
|
ext_if="{{ ansible_default_ipv4.device }}"
|
|
|
|
#lan_if="em1"
|
|
|
|
|
|
|
|
###########################
|
|
|
|
##### TABLES & LISTES #####
|
|
|
|
###########################
|
|
|
|
|
|
|
|
# Evolix
|
2020-12-10 19:23:18 +01:00
|
|
|
table <evolix> { {{ pf_trusted_ips }} }
|
2018-12-28 11:23:49 +01:00
|
|
|
|
|
|
|
# Port en entrée
|
|
|
|
# 2222 = ssh secondaire
|
|
|
|
# 5666 = nrpe
|
|
|
|
#tcp_in = "{ domain, ldap, ldaps, imap, imaps, pop3, pop3s, ssh, smtp, http, https, ftp, ftp-data, smtps, submission, 2222 }"
|
|
|
|
tcp_in = "{ http, https }"
|
|
|
|
|
|
|
|
# 33433><33626 = traceroute
|
|
|
|
#udp_in = "{ domain, ntp, 33433><33626 }"
|
|
|
|
udp_in = "{ 33433><33626 }"
|
|
|
|
|
|
|
|
|
|
|
|
###################
|
|
|
|
##### OPTIONS #####
|
|
|
|
###################
|
|
|
|
|
|
|
|
set block-policy return
|
|
|
|
set optimization normal
|
|
|
|
#set optimization aggressive
|
|
|
|
#set limit states 150000
|
|
|
|
#set limit src-nodes 25000
|
|
|
|
#set limit tables 10000
|
|
|
|
#set limit table-entries 3000
|
|
|
|
set skip on lo
|
|
|
|
match in all scrub (no-df)
|
|
|
|
|
|
|
|
####################
|
|
|
|
##### FILTRAGE #####
|
|
|
|
####################
|
|
|
|
|
|
|
|
# politiques par defaut
|
|
|
|
block log all
|
|
|
|
|
|
|
|
# filter rules and anchor for ftp-proxy(8)
|
|
|
|
#anchor "ftp-proxy/*"
|
|
|
|
#pass in quick inet proto tcp to port ftp divert-to 127.0.0.1 port 8021
|
|
|
|
|
|
|
|
#pass quick proto carp
|
|
|
|
#pass quick on $pfsync_if proto pfsync
|
|
|
|
|
|
|
|
pass out
|
2020-06-16 17:16:55 +02:00
|
|
|
# 5666 = nrpe
|
|
|
|
pass in on $ext_if proto tcp from <evolix> to (self) port { ssh, 5666 }
|
2018-12-28 11:23:49 +01:00
|
|
|
|
|
|
|
# Block Attack
|
|
|
|
# China 144.0.0.0/16 --> SSH
|
|
|
|
block in on $ext_if proto tcp from 144.0.0.0/16 to any port ssh
|
|
|
|
|
|
|
|
# Autorisation des protocoles
|
|
|
|
pass in on $ext_if proto tcp to !(self) port $tcp_in
|
|
|
|
pass in on $ext_if proto udp to !(self) port $udp_in
|
|
|
|
|
|
|
|
# FTP actif
|
|
|
|
# pass in on $ext_if proto tcp from any port 20 to any port 1024:65535
|
|
|
|
|
|
|
|
|
|
|
|
# Acces public
|
|
|
|
pass in proto { icmp, icmp6 }
|
|
|
|
|