pf.conf

#	$OpenBSD: pf.conf,v 1.55 2017/12/03 20:40:04 sthen Exp $
#
# See pf.conf(5) and /etc/examples/pf.conf

##########################################################################
## Modern configuration with multiple IPv4 + IPv6, Multicast Lockdown
## Multi-homed DNS lockdown, JS stack cache friendly, Redis Lockdown
#
## OpenSMTPD Mail Server - Primary IP1 (No POP3)
## HTTPD Web Server - Secondary IP2 (HTTPS Primary)
## Unbound DNS - Tertiary IPv6
## Localhost Redis DB
#
## Elias Christopher Griffin 
## https://www.quadhelion.engineering
#
## LICENSE: CC BY-NC-SA 4.0
## 
##########################################################################

##########################################################################
## Special thanks to https://forums.freebsd.org/members/mickey.4512/
##########################################################################



##########################################################################
## Macros
## CUSTOMIZE
##########################################################################
ext_if = "vio0"
ipv4_1 = "198.51.100.0"
ipv4_2 = "198.51.100.1"
ipv6 = "2222:22f0:7777:0271:0000:07ff:fe677:7777"



##########################################################################
## NO CUSTOMIZE ##
##
## IPv6 link-local, MC
##########################################################################

PFX_LNKLOC = "FE80::/10"

# IPv6 Solicited Node Multicast Prefix.
MC_SOLNOD = "FF02::1:FF00:0/104"

# IPv6 All Nodes Link Local Multicast Address.
MC_NODLNK = "FF02::1"



##########################################################################
## Basic policy
## IPv6 Link-Local, Multicast, bugs with no-df
## Big Tech Email servers using 1460 sized segments
##########################################################################
match in all scrub (random-id max-mss 1460)



##########################################################################
## Last rule wins, so start with blocking everything incoming
##########################################################################
block in log all



##########################################################################
## Keep loopback fast, skipping filter
##########################################################################
set skip on lo



##########################################################################
## Allow all out from host itself
## Allow Time and DNS out, remove logs once tested working
##########################################################################
pass out inet all keep state
pass out log proto udp to port 123 keep state


## Allow Quad9 IPv6, DNS over TLS with ECS, stateful return
pass out log on $ext_if proto { udp tcp } from $ipv6 to { 2620:fe::11, 2620:fe::fe:11 } port 853 keep state


# Allow Vultr IPv6 Stateless GEOFEED
pass in quick on $ext_if from 2001:19f0:300:1704::6 to $ipv6 




##########################################################################
## Allow IPv6 Multicast, BGP
## Ping, traceroute disallowed
##########################################################################
pass inet6 proto ipv6-icmp all icmp6-type routeradv
pass inet6 proto ipv6-icmp all icmp6-type routersol
pass inet6 proto ipv6-icmp all icmp6-type neighbradv
pass inet6 proto ipv6-icmp all icmp6-type neighbrsol


# Allow NS from unspecified to solicited node multicast address (DAD)
pass quick inet6 proto icmp6 from :: to $MC_SOLNOD icmp6-type neighbrsol no state


# Allow IPv6 Router Discovery.
pass in quick inet6 proto icmp6 from $PFX_LNKLOC to $MC_NODLNK icmp6-type routeradv no state


# Allow IPv6 Neighbor Discovery (ND/NUD/DAD).
pass in quick inet6 proto icmp6 from { $PFX_LNKLOC, ($ext_if:network) } to { ($ext_if), $MC_SOLNOD } icmp6-type neighbrsol no state
pass in quick inet6 proto icmp6 from { $PFX_LNKLOC, ($ext_if:network) } to { ($ext_if), $MC_NODLNK } icmp6-type neighbradv no state



##########################################################################
## Packet filtering
## Watch pf in realtime: $ tcpdump -n -e -ttt -i pflog0
## Correlate to rules: $ pfctl -vvsr
##########################################################################
antispoof log quick for $ext_if 


## Block anything coming form source we have no back routes for
block drop in log from no-route to any


## Block packets whose ingress interface does not match the one
## the route back to their source address
block drop in log from urpf-failed to any


# By default, do not permit remote connections to X11
block return in log on ! lo0 proto tcp to port 6000:6010


# Port build user does not need network
block return out log proto {tcp udp} user _pbuild


# Block outside access to Redis
block in log on ! lo0 proto tcp to port 6379



##########################################################################
## Tables
##########################################################################

## Whitelist
table <whitelist> persist file "/etc/whitelist"
pass in quick from <whitelist> 


## Badhosts
table <badhosts> persist file "/etc/badhosts"
block in quick log from <badhosts>


## DDoS Table from rate limited Mail Server rules, line 189, killing all states
table <bruteforce> persist file "/etc/bruteforce"
block quick log from <bruteforce>

## Scanners
table <scanners> persist file "/etc/scanners"
block quick log from <scanners>

## Menace
table <menace> persist file "/etc/menace"
block quick log from <menace>



##########################################################################
## Allow SSH statefully and flag SYN/SYN-ACK, allowing "pfctl -s labels"
## 
## Rule applies to TCP packets that have the flags A/ set out of set /B
## S/SA is the default setting for stateful connections
## Of SYN and ACK, exactly SYN may be set. SYN, SYN+PSH, and SYN+RST match
## but SYN+ACK, ACK, and ACK+RST do not.
##########################################################################
pass in proto tcp to $ext_if port 22 flags S/SA keep state label ssh 



##########################################################################
## Email Server Additions
# 
## The optional flush keyword kills all states created by the matching rule 
## which originate from the host which exceeds these limits. The "global" 
## modifier to the flush command kills all states originating from the 
## offending host, regardless of which rule created the state.
##########################################################################


# Allow Mail Protocols by name, prevent bruteforce attacks on SMTP Ingress
pass in quick log on $ext_if proto tcp from any to $ipv4_1 port { smtp, smtps, submission, imaps, 993 } keep state (max-src-conn-rate 6/4, overload <bruteforce> flush global)



##########################################################################
## Web Server
## Choose 1
#
## Example httpd.conf secure redirect
#
## $OpenBSD: httpd.conf,v 1.22 2020/11/04 10:34:18 denis Exp $
#
##########################################################################
## Macros
## CUSTOMIZE
##########################################################################
#
# ext_if = "vio0"
# ipv4_1 = "198.51.100.0"
#
# server "secure-redirect" {
#        listen on $ipv4_1 port 80 block return 301 "https://$HTTP_HOST$REQUEST_URI"
# }
##########################################################################

# Allow HTTP with 301 redirect to HTTPS on IP2
pass in on $ext_if proto tcp from any to $ipv4_2 port { 80, 443 }
 

# Allow HTTPS caching friendly JS stack
#pass in on $ext_if proto tcp from any to $ipv4_2 port 443 keep state


# Allow HTTP(S) on all default routes
#pass in on egress proto tcp from any to egress port { 80, 443 }