###################### ##### INTERFACES ##### ###################### ext_if="{{ ansible_default_ipv4.device }}" #lan_if="em1" ########################### ##### TABLES & LISTES ##### ########################### # Evolix table { {{ pf_trusted_ips }} } # Port en entrée # 2222 = ssh secondaire # 5666 = nrpe #tcp_in = "{ domain, ldap, ldaps, imap, imaps, pop3, pop3s, ssh, smtp, http, https, ftp, ftp-data, smtps, submission, 2222 }" tcp_in = "{ http, https }" # 33433><33626 = traceroute #udp_in = "{ domain, ntp, 33433><33626 }" udp_in = "{ 33433><33626 }" ################### ##### OPTIONS ##### ################### set block-policy return set optimization normal #set optimization aggressive #set limit states 150000 #set limit src-nodes 25000 #set limit tables 10000 #set limit table-entries 3000 set skip on lo match in all scrub (no-df) ########################### ##### FILTRAGE GLOBAL ##### ########################### # politique par defaut : on autorise l'icmp en entrée puis on ne filtre que le WAN en entrée, tout le reste est autorisé block log all pass out quick on $ext_if #pass on $lan_if pass in proto { icmp, icmp6 } # filter rules and anchor for ftp-proxy(8) #anchor "ftp-proxy/*" #pass in quick inet proto tcp to port ftp divert-to 127.0.0.1 port 8021 #pass quick proto carp #pass quick on $pfsync_if proto pfsync # Autorisations pour Evolix pass in on $ext_if proto tcp from to (self) port { ssh, 5666 } # Block Attack # China 144.0.0.0/16 --> SSH block in on $ext_if proto tcp from 144.0.0.0/16 to any port ssh # Autorisation des protocoles en entrée pass in on $ext_if proto tcp to !(self) port $tcp_in pass in on $ext_if proto udp to !(self) port $udp_in # FTP actif # pass in on $ext_if proto tcp from any port 20 to any port 1024:65535 ############################### ##### FILTRAGE SPECIFIQUE ##### ###############################