EvoBSD/roles/pf/templates/pf.conf.j2

######################
##### INTERFACES #####
######################

ext_if="{{ ansible_default_ipv4.device }}"
#lan_if="em1"

###########################
##### TABLES & LISTES #####
###########################

# Evolix
table <evolix> { {{ pf_trusted_ips }} }

# Port en entrée
# 2222 = ssh secondaire
# 5666 = nrpe
#tcp_in  = "{ domain, ldap, ldaps, imap, imaps, pop3, pop3s, ssh, smtp, http, https, ftp, ftp-data, smtps, submission, 2222 }"
tcp_in  = "{ http, https }"

# 33433><33626 = traceroute
#udp_in  = "{ domain, ntp, 33433><33626 }"
udp_in  = "{ 33433><33626 }"

###################
##### OPTIONS #####
###################

set block-policy return
set optimization normal
#set optimization aggressive
#set limit states 150000
#set limit src-nodes 25000
#set limit tables 10000
#set limit table-entries 3000
set skip on lo
match in all scrub (no-df)

###########################
##### FILTRAGE GLOBAL #####
###########################

# politique par defaut : on autorise l'icmp en entrée puis on ne filtre que le WAN en entrée, tout le reste est autorisé
block log all
pass out quick on $ext_if
#pass on $lan_if
pass in proto { icmp, icmp6 }

# filter rules and anchor for ftp-proxy(8)
#anchor "ftp-proxy/*"
#pass in quick inet proto tcp to port ftp divert-to 127.0.0.1 port 8021

#pass quick proto carp
#pass quick on $pfsync_if proto pfsync

# Autorisations pour Evolix
pass in on $ext_if proto tcp from <evolix> to (self) port { ssh, 5666 }

# Block Attack
# China 144.0.0.0/16 --> SSH
block in on $ext_if proto tcp from 144.0.0.0/16 to any port ssh

# Autorisation des protocoles en entrée
pass in on $ext_if proto tcp to !(self) port $tcp_in
pass in on $ext_if proto udp to !(self) port $udp_in

# FTP actif
# pass in on $ext_if proto tcp from any port 20 to any port 1024:65535

###############################
##### FILTRAGE SPECIFIQUE #####
###############################