#;
#; /etc/pf.conf
#; Sample packet filter configuration for openbsd.
#;
#; +-------------------------------------------------------------+
#; | Author:   DePaul University Computer Security Response Team |
#; |           WWW:  <http://security.depaul.edu/>               |
#; |           SMTP: <security@depaul.edu>                       |
#; +-------------------------------------------------------------+
#;
#; Copyright (c) 2004. DePaul University. All Rights Reserved.
#;
#; Platform: Tested on the following platforms:
#;              OpenBSD 3.3, 3.4, 3.5
#;
#; Notes:    Please be aware that you MUST be aware of the interface
#;           name(s) on your host, as well as filter requirements
#;           for permitting traffic to your host. Edit /etc/rc.conf
#;           and change 'PF=NO' to 'PF=YES'
#;
#;           To reload these rules, try the following.
#;             /sbin/pfctl -F all -d && /sbin/pfctl -f /etc/pf.conf -e
#;
#;           We do not cover altq here, nor IPv6; for more assistance
#;           such details, feel free to contact us.
#;
#; Revised:  $Id: pf.conf,v 1.3 2004/04/29 20:48:16 epancer Exp $
#;


#;
#;--------------------------------------------------------------------;#
#; Interfaces; add each interface here for later expansion
loopbk="lo0"
ext1="bge0"
bc1="bge1"

#;
#;--------------------------------------------------------------------;#
#; Host/network aliases.
dpunet       = "140.192.0.0/16"
csrtnet      = "140.192.21.0/25"
bcnet        = "172.168.43.0/28"
table <bogon> const { 255.255.255.255/32, 127.0.0.0/8, 0.0.0.0/8, \
                      192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, \
                      192.0.2.0/24, 169.254.0.0/16, 248.0.0.0/5, \
                      240.0.0.0/4 }
broadcast    = "255.255.255.255"


#;
#;--------------------------------------------------------------------;#
#; Administratavia aliases to make life easier.
aspf  = "antispoof log"
bi    = "block in"
bo    = "block out"
bil   = "block in log"
biq   = "block in quick"
bol   = "block out log"
boq   = "block out quick"
bilq  = "block in log quick"
bolq  = "block out log quick"

pi    = "pass in"
po    = "pass out"
pil   = "pass in log"
piq   = "pass in quick"
pol   = "pass out log"
poq   = "pass out quick"
pilq  = "pass in log quick"
polq  = "pass out log quick"

ks    = "keep state"
ms    = "modulate state"

#;
#;--------------------------------------------------------------------;#
#; Set pf behavior
set timeout       { interval 10, frag 30 }
set limit         { frags 25000, states 35000 }
set optimization  normal
set block-policy  return
set loginterface  $ext1

#;
#;--------------------------------------------------------------------;#
#; Remove the cruft and clean-up packets
scrub out all random-id no-df
scrub in  all min-ttl 2 no-df

#;
#; Start the rules
pass quick on $loopbk all

$poq  on  $bc1  inet proto tcp  from $bc1  to $bcnet flags S/SA $ms
$poq  on  $bc1  inet proto tcp  from $bc1  to $bcnet $ks
$poq  on  $bc1  inet proto udp  from $bc1  to $bcnet $ks
$poq  on  $bc1  inet proto icmp from $bc1  to $bcnet $ks
$poq  on  $bc1                  from $bc1  to $bcnet
$poq  on $ext1  inet proto tcp  all flags S/SA $ms
$poq  on $ext1  inet proto tcp  all            $ks
$poq  on $ext1  inet proto udp  all            $ks
$poq  on $ext1  inet proto icmp all            $ks
$poq  on $ext1                  all

block return-rst log proto tcp all flags /S
block return-rst log proto tcp all flags A/A
block log

$bil             from no-route to any
$bilq on  $ext1  from <bogon>   to any
$aspf for $ext1
$aspf for $bc1

$pi  on  $ext1 inet proto icmp from any       to $ext1 icmp-type echoreq $ks
$pi  on  $ext1 inet proto tcp  from any       to $ext1 port { 22, 80 }  $ks
$pi  on  $ext1 inet proto udp  from $csrtnet  to $ext1 port { 53, 123 } $ks

#; Backchannel network rules
$pi  on  $bc1 inet proto icmp from $bcnet to $bc1   icmp-type echoreq $ks
$pi  on  $bc1 inet proto tcp  from $bcnet to $bc1   port 22   $ks
$pi  on  $bc1 inet proto udp  from $bcnet to $bc1   port { 53, 69, 123 } $ks

#;
# vim: ts=8 sw=8 nowrap
#;