OpenBSD PF Firewall Script – /etc/pf.conf File

Author: Last updated: May 10, 2009 13 comments

Following script will protect collocated FreeBSD / OpenBSD / NetBSD server running PF firewall. My box has 2 interface one for VPN and other for public interface. I only run http, dns and ssh on public port. Read pf, rc.conf and pf.conf man page for details. Tested on FreeBSD and OpenBSD.

Sample /etc/pf.conf

#### First declare a couple of variables ####
### Outgoing tcp / udp port ####
### 43 - whois, 22 - ssh ###
tcp_services = "{ ssh, smtp, domain, www, https, 22, ntp, 43,ftp, ftp-data}"
udp_services = "{ domain, ntp }"
### allow ping / pong ####
icmp_types = "{ echoreq, unreach }"
 
#### define tables. add all subnets and ips to block
table <blockedip> persist file "/etc/pf.block.ip.conf"
 
martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 }"
 
### admin server ranges ###
adminrange = "112.220.11.0/23"
 
# connected to internet
ext_if = "em1"  
# connected to vpn / lan
int_if = "em0"
 
##### ftp proxy
#proxy="127.0.0.1"
#proxyport="8021"
 
#### Normalization
#scrub provides a measure of protection against certain kinds of attacks based on incorrect handling of packet fragments
scrub in all
 
#### NAT and RDR start
#nat-anchor "ftp-proxy/*"
#rdr-anchor "ftp-proxy/*"
 
# redirect ftp traffic
#rdr pass proto tcp from any to any port ftp -> $proxy port $proxyport
 
# Drop incoming everything 
block in all 
block return 
 
# keep stats of outgoing connections
pass out keep state
 
# We need to have an anchor for ftp-proxy
#anchor "ftp-proxy/*"
 
# unlimited traffic  for loopback and lan / vpn
set skip on {lo0, $int_if}
 
# activate spoofing protection for all interfaces
block in quick from urpf-failed
 
#antispoof is a common special case of filtering and blocking. This mechanism protects against activity from spoofed or forged IP addresses
antispoof log for $ext_if
 
#Block RFC 1918 addresses
block drop in log (all)  quick on $ext_if from $martians to any
block drop out log (all) quick on $ext_if from any to $martians
 
 
# Block all ips
# pfctl -t blockedip -T show
block drop in log (all)  quick on $ext_if from <blockedip> to any
block drop out log (all) quick on $ext_if from any to <blockedip>
 
# allow outgoing 
pass out on $ext_if proto tcp to any port $tcp_services
pass out on $ext_if proto udp to any port $udp_services
 
# Allow trace route
pass out on $ext_if inet proto udp from any to any port 33433 >< 33626 keep state
 
# Allow admin to get into box
pass in on $int_if from $adminrange to any
 
# Allow incoming ssh, http, bind traffic
# pass in  on $ext_if proto tcp from any to any port 25
pass in on $ext_if proto tcp from any to any port ssh  flags S/SA synproxy state
pass in on $ext_if proto udp from any to any port domain 
pass in on $ext_if proto tcp from any to any port domain flags S/SA synproxy state
pass in on $ext_if proto tcp from any to any port http flags S/SA synproxy modulate state
pass inet proto icmp all icmp-type $icmp_types keep state
## add your rule below ##
Get the latest tutorials on SysAdmin, Linux/Unix, Open Source, and DevOps topics:
Related Shell Scripts:
CategoryList of Unix and Linux commands
File Management cat
Firewall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network Utilities dig host ip nmap
OpenVPN CentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Manager apk apt
Processes Management bg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searching grep whereis which
User Information groups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPN CentOS 8 Debian 10 Firewall Ubuntu 20.04
13 comments… add one
  • Bruce May 14, 2012 @ 19:54

    You probably don’t want to block all the other icmp types like fragmentation-needed – it breaks things in a subtle but annoying way!

    Reply Link
  • Rani Apr 3, 2011 @ 11:04

    pass quick proto tcp from $table to $ext_if port 22 flags S/SA keep state

    and if you want ssh brute force options;

    table persist file “/etc/bruteforce.conf”
    pass quick proto tcp from $table to $ext_if port 22 flags S/SA keep state (max-src-conn 15, max-src-conn-rate 5/3, overload flush global)

    Reply Link
  • circus Feb 19, 2011 @ 19:29

    And I think we should use

    block all
    Reply Link
  • circus Feb 19, 2011 @ 19:27

    Hi, CMIIW but this rule:

        pass out keep state

    just makes this rules:

        pass out on $ext_if proto tcp to any port $tcp_services
    pass out on $ext_if proto udp to any port $udp_services

    a bit pointless? I’m still able to connect to any ports.

    Reply Link
  • bastian Dec 8, 2010 @ 23:07

    How can i block port 22 to public and give permission to specific ip address

    Reply Link
    • phaleon Dec 9, 2010 @ 22:22

      here is what I have done
      ## ips ok for ssh
      table { 1.2.3.4, 5.6.7.8, 9.10.11.12 }

      # and then
      pass in on $ext_iface proto tcp from to any port 22 flags S/SA synproxy state

      Reply Link
  • Amza Marian Sep 29, 2009 @ 1:49

    It is ok. Simple and great.

    Normally, a client connects to the server and we handshake with them, then proceed to exchange data. by telling pf to handshake proxy between the client and server, tcp syn flood attacts from ddos become uneffective because a spoofed client cannot complete a handshake.

    As Dirk Gently says: More comments are welcome.

    Reply Link
  • 🐧 Vivek Gite May 10, 2009 @ 23:01

    Yes, it was a typo. Thanks for the heads-up!

    Reply Link
  • Waitman Gobble May 9, 2009 @ 5:55

    oops, i think the problem might be
    pass in on $ext_if proto tcp from ant to any port ssh flags S/SA synproxy state

    “ant” should be “any” ?

    Reply Link
  • Waitman Gobble May 9, 2009 @ 5:47

    freebsd 7.2-RELEASE – I believe it ships with pf @ OpenBSD 4.1

    notes:

    1) “$ext_if proto tcp from any to any port http flags S/SA synproxy modulate state”
    throws me a syntax error, I understand that using synproxy and modulate is redundant, ie synproxy includes modulate and keep.

    2) using synproxy with ssh ain’t happening for me, not yet sure – researching.

    3) in pf @ OpenBSD 4.1, default TCP flags are S/SA keep state

    thanks, keep up the great work.

    Reply Link
    • Andrei Jun 23, 2009 @ 14:53

      # synproxy state – proxies incoming TCP connections to help protect servers from spoofed TCP SYN floods. This option includes the functionality of keep state and modulate state.

      Reply Link
  • Dirk Gently Feb 4, 2009 @ 3:46

    Good work vivec. great help when pf.conf is lacking comments. ;)

    Reply Link
  • Hekko Nov 29, 2008 @ 14:47

    This was very helpful :) Thank You ;-)

    Regards
    http://hekko.eu

    Reply Link

Leave a Reply

Your email address will not be published. Required fields are marked *

Use HTML <pre>...</pre>, <code>...</code> and <kbd>...</kbd> for code samples.

Next script:

Previous script: