|
|
@@ -1,24 +1,41 @@
|
|
|
+
|
|
|
+#define interfaces
|
|
|
#ext_if="em0"
|
|
|
-set skip on lo0
|
|
|
+
|
|
|
+#normalize packets
|
|
|
scrub in all
|
|
|
|
|
|
-antispoof for lo0
|
|
|
-table <fail2ban> persist
|
|
|
-table <pf-block> persist file "/etc/pf-block.conf"
|
|
|
+#skip rule for loopback interface
|
|
|
+set skip on lo0
|
|
|
+
|
|
|
+#prevent spoofing for all interfaces
|
|
|
+antispoof quick for all
|
|
|
+
|
|
|
+#allow traffic on loopback
|
|
|
+pass quick on lo0 all
|
|
|
+
|
|
|
+#add the pf tables
|
|
|
table <pf-pass> persist file "/etc/pf-pass.conf"
|
|
|
-pass in quick from <pf-pass> to any keep state
|
|
|
+table <pf-block> persist file "/etc/pf-block.conf"
|
|
|
+table <sip-auth-ip> persist file "/etc/pf-block-sip-auth-ip.conf"
|
|
|
+table <sip-auth-fail> persist file "/etc/pf-block-sip-auth-fail.conf"
|
|
|
|
|
|
+#allow outbound traffic
|
|
|
pass out quick all
|
|
|
-pass quick on lo0 all
|
|
|
|
|
|
-block in all
|
|
|
-block in quick from <fail2ban>
|
|
|
+#pass allowed addresses
|
|
|
+pass in quick from <pf-pass> to any keep state
|
|
|
+
|
|
|
+#block traffic from blocked addresses
|
|
|
block in quick from <pf-block>
|
|
|
-#antispoof quick for $ext_if
|
|
|
+block in quick from <sip-auth-ip>
|
|
|
+block in quick from <sip-auth-fail>
|
|
|
|
|
|
+#allow ICMP
|
|
|
pass in quick inet proto icmp all
|
|
|
pass in quick inet6 proto icmp6 all
|
|
|
|
|
|
+#allow additional ports
|
|
|
pass in quick inet proto tcp from any to any port 22 keep state
|
|
|
pass in quick inet proto tcp from any to any port 80 keep state
|
|
|
pass in quick inet proto tcp from any to any port 443 keep state
|
|
|
@@ -27,3 +44,5 @@ pass in quick inet proto tcp from any to any port 5060:5091 keep state
|
|
|
pass in quick inet proto udp from any to any port 5060:5091 keep state
|
|
|
pass in quick inet proto udp from any to any port 16384:32768 keep state
|
|
|
|
|
|
+#default block rule
|
|
|
+block in all
|
FusionPBX