Openbsd /
Sample PF for Stable
Here's a sample /etc/pf.conf for stable servers (do NOT use this for shell servers):
ExtIf = "vio0" IP4 = "10.0.0.1" IntIP4 = "192.168.0.1" IP6 = "2001:db8::/80" FlushUDP = "max-pkt-rate 10000/10 keep state (max 1000, source-track rule, max-src-nodes 200, max-src-states 200)" Flush = "keep state (max 1000, source-track rule, max-src-nodes 200, max-src-conn-rate 5 00/10 overload <badhosts> flush global)" FlushStrict = "keep state (max 100, source-track rule, max-src-nodes 20, max-src-conn-ra te 50/10 overload <badhosts> flush global)" set skip on lo0 set loginterface $ExtIf set ruleset-optimization profile set syncookies adaptive (start 25%, end 12%) table <ilines> persist file "/etc/pf/ilines" table <badhosts> persist file "/etc/pf/badhosts" # udp and icmp block in log quick from <badhosts> pass in log quick proto udp to {$IP4 $IP6} port domain $FlushUDP pass in log quick proto udp to {$IP4 $IP6} port ntp $FlushUDP pass in log quick proto udp to {$IP4 $IP6} port {isakmp ipsec-nat-t} $FlushUDP block in log quick proto udp to {$IP4 $IP6} block in log quick from urpf-failed match in log all scrub (no-df random-id max-mss 1440) pass in log quick on $ExtIf inet proto icmp icmp-type 8 code 0 $FlushUDP # icmp packets pass in log quick on $ExtIf inet proto icmp icmp-type 3 code 4 $FlushUDP # icmp needfrag (MTU) pass in log quick on $ExtIf proto ipv6-icmp $FlushUDP # tcp pass in log quick proto tcp to {$IP4 $IP6} port domain $Flush pass in log quick proto tcp to {$IP4 $IP6} port auth $Flush pass in log quick proto tcp to {$IP4 $IP6} port {smtp submission smtps imap imaps pop3 p op3s} $Flush pass in log quick proto tcp to {$IP4 $IP6} port {gopher http https} $Flush pass in log quick proto tcp from <ilines> to {$IP4 $IP6} port { 6660:6669 6697 6997 7000 9999 16667 16697 } #irc pass in log quick proto tcp to {$IP4 $IP6} port { 6660:6669 6697 6997 7000 9999 16667 16 697 } $Flush #irc pass in log quick proto tcp to {$IP4 $IP6} port { 1314 21314 1337 31337 } $Flush #bnc pass in log quick proto tcp to {$IP4 $IP6} port 29173 $Flush #wraith pass in log quick proto tcp to {$IP4 $IntIP4 $IP6} port ssh $FlushStrict # road warrior vpn pass in log inet proto udp to {$IP4 $IP6} port {isakmp, ipsec-nat-t} tag IKED pass in log inet proto esp to {$IP4 $IP6} tag IKED pass log on enc0 inet tagged ROADW match out log on $ExtIf inet tagged ROADW nat-to $IP4 match in log quick on enc0 inet proto { tcp, udp } to port 53 rdr-to 127.0.0.1 port 53 block in log all block out log on $IntIP4 pass out quick from {$IP4 $IP6} # allow non-spoofed packets pass out quick proto tcp from $IntIP4 to port ssh pass out quick proto {udp tcp} from $IntIP4 to port {domain} pass out quick inet proto icmp from $IntIP4 # allow ICMP
You will then need to create a folder:
$ doas mkdir /etc/pf/
Then, add the list of ilines to /etc/pf/ilines.
198.251.89.130 198.251.83.183 209.141.39.184 209.141.39.228 198.251.84.240 198.251.80.229 198.251.81.119 209.141.39.173 198.251.89.91 198.251.81.44 209.141.38.137 198.251.81.133 2605:6400:0030:f8de::/64 2605:6400:0010:071b::/64 2605:6400:0020:0434::/64 2605:6400:0020:00b4::/64 2605:6400:0010:05bf::/64 2605:6400:0030:fc15::/64 2605:6400:0020:1290::/64 2605:6400:0020:0bb8::/64 2605:6400:0030:faa1::/64 2605:6400:0010:069d::/64 2605:6400:0020:05cc::/64 2605:6400:0010:00fe::/64
Afterwards, any badhosts can be added to /etc/pf/badhosts.
To load the new configuration:
$ doas pfctl -f /etc/pf.conf
See Also
PF Guide | DDoS Filtering Guide | tcpdump |