#	$OpenBSD: pf.conf,v 1.3 2001/11/16 22:53:24 dhartmei Exp $
#
# See pf.conf(5) for syntax and examples

# Interface macros
include "/etc/pf/macros.conf"

# set all the timeouts to long values so connections don't get dropped.
# I have the RAM to deal with it.
set optimization normal

# need support for biiiig tables...
set limit table-entries 2000000

# set the debugging level
# options are: none, urgent, misc, loud.
# default is urgent.
set debug urgent

# this defragments incomming packets and randomizes the tcp seq numbers on
# outgoing packets.  This avoides some firewal breaking attacks and prevents
# anyone from detecting that I am using NAT.
#scrub in all
#scrub out on $ext_if all random-id
match in all scrub (no-df)
match out all scrub (random-id)

# setup altq for QoS
altq on $ext_if priq bandwidth 1800Kb queue { voip, ssh, high, other, usenet, web_serv, mail, p2p, spam }
queue voip priority 14
queue ssh priority 13
queue high priority 8
queue other priority 6 priq(default)
queue usenet priority 5 priq(red)
queue web_serv priority 4
queue mail priority 3 priq(red)
queue p2p priority 1 priq(red)
queue spam priority 0 priq(red)

# setup NAT for my private IP ranges
nat on $ext_if from $lan to any -> $ext_if
nat on $ext_if from $vpnlan to any -> $ext_if
#nat on $ext_if from $wlan to any -> $ext_if
nat on $ext_if from $wlan2 to any -> $ext_if

# this is a redirector to make ICQ work right on my workstation.
#rdr on $ext_if proto tcp from any to $ext_if port 33000 -> $dementia port 33000
#rdr on $ext_if proto tcp from any to $ext_if port 4000 -> $dementia port 4000

# this is a bunch of redirectors to allow emule to work on my windows box.
#rdr on $ext_if proto tcp from any to $ext_if port 4662 -> $lunacy port 4662
#rdr on $ext_if proto udp from any to $ext_if port 4672 -> $lunacy port 4672
#rdr on $ext_if proto tcp from any to $ext_if port 4672 -> $lunacy port 4672
#rdr on $ext_if proto tcp from any to $ext_if port 4666 -> $lunacy port 4666
#rdr on $ext_if proto udp from any to $ext_if port 4665 -> $lunacy port 4665
#rdr on $ext_if proto udp from any to $ext_if port 6275 -> $lunacy port 6275
#rdr on $ext_if proto udp from any to $ext_if port 2955 -> $lunacy port 2955
#rdr on $ext_if proto udp from any to $ext_if port 6279 -> $lunacy port 6279
#rdr on $ext_if proto udp from any to $ext_if port 7821 -> $lunacy port 7821
#rdr on $ext_if proto udp from any to $ext_if port 7825 -> $lunacy port 7825
#rdr on $ext_if proto udp from any to $ext_if port 3054 -> $lunacy port 3054
#rdr on $ext_if proto tcp from any to $ext_if port 39549 -> $lunacy port 39549
#rdr on $ext_if proto udp from any to $ext_if port 22738 -> $lunacy port 22738
#rdr on $ext_if proto udp from any to any port 50000:65535 -> $lunacy port 50000:65535

# Teliax SIP
rdr on $ext_if proto udp from { 208.139.204.232, 207.174.202.0/24, 63.211.239.0/24, 70.42.223.0/24, 64.74.188.0/24, 8.17.37.0/24, 8.14.120.0/24 } to $ext_if port 33430:33439 -> $asylum port 33430:33439

# BT
#rdr on $ext_if proto {tcp udp} from any to $ext_if port 6880:6889 -> $dementia port 6880:6889

#vnc - normally off
#rdr on $ext_if proto tcp from any to $ext_if port 5800 -> $dementia port 5800
#rdr on $ext_if proto tcp from any to $ext_if port 5900 -> $dementia port 5900

# table for known bad guys
table <badguys> persist

# table for authpf users
table <authpf_users> persist

#redirections for spamd from foreign countries
# this redirects every IP listed in the text_if file from tcp/25 to tcp/8025
# which is the spamd tarpit.
table <foreigners> persist file "/etc/pf/foreigners.txt"
rdr on $ext_if proto tcp from <foreigners> to $ext_if port 25 -> $ext_if port 8025

# redirections for services hosted on asylum
rdr on $ext_if proto tcp from any to $ext_if port 22 -> $dnssrv port 22		# ssh
rdr on $ext_if proto tcp from any to $ext_if port 25 -> $asylum port 25		# smtp
rdr on $ext_if proto tcp from any to $ext_if port 80 -> $asylum port 80		# http
rdr on $ext_if proto tcp from any to $ext_if port 81 -> $asylum port 80		# http
rdr on $ext_if proto tcp from any to $ext_if port 8080 -> $asylum port 80	# http
rdr on $ext_if proto tcp from any to $ext_if port 8000 -> $asylum port 80	# http
#rdr on $ext_if proto tcp from any to $ext_if port 53 -> $dnssrv port 53		# dns (axfrdns)
rdr on $ext_if proto udp from any to $ext_if port 53 -> $dnssrv port 53		# dns (tinydns)
#rdr on $ext_if proto tcp from any to $ext_if port 6667 -> $asylum port 6667	# irc - normally off
#rdr on $ext_if proto tcp from any to $ext_if port 5500 -> $asylum port 5500	# hotline
rdr on $ext_if proto udp from any to $ext_if port 4569 -> $asylum port 4569	# asterisk iax
rdr on $ext_if proto udp from any to $ext_if port 5060 -> $asylum port 5060	# asterisk sip

#rdr on $ext_if proto tcp from any to $ext_if port 8251 -> 172.22.100.251 port 80 # procurve switch for Terra

# redirect for OpenVPN to work from the outside
rdr on $ext_if proto udp from any to $ext_if port 1194 -> $wireless_if port 1194
rdr on $ext_if proto tcp from any to $ext_if port 8888 -> $wireless_if port 80

# redirect wifi dns to internal dnscache
rdr on $wireless_if inet proto udp from any to $wireless_if port 53 -> $int_if port 53
rdr on $wireless2_if inet proto udp from any to $wireless2_if port 53 -> $int_if port 53

# redirect all wifi http to my page
# has to be in the authpf section after the rdr-anchor
rdr on $wireless_if inet proto tcp from ! <authpf_users> to any port 80 -> $wireless_if port 80

# authpf
nat-anchor "authpf/*"
rdr-anchor "authpf/*"
binat-anchor "authpf/*"

# temp for Zach
#no rdr on $wireless_if proto tcp from 172.22.11.101 to any port 80
#nat on $ext_if from 172.22.11.101 to any -> $ext_if

# Get rid of all ipv6 stuff first without logging.
block drop in quick inet6

# smart prevention of IP spoofing attacks.
antispoof log quick for {$ext_if $wireless_if $wireless2_if} inet

block in log all
block out log all
pass in on { $int_if $vpn_if lo0 } all
pass out on { $int_if $wireless_if $wireless2_if $vpn_if $ext_if lo0 } all
pass in on $wireless_if from $wap to $wireless_if
pass in on $wireless_if proto {tcp udp} from $wap to $asylum port 123 # NTP from WAP
pass in on $wireless_if proto {tcp udp} from any to any port {53 67} # DNS, DHCP
pass in on $wireless_if proto tcp from $wlan to $wireless_if port 22 # SSH
pass in on $wireless_if proto udp from $wlan to $wireless_if port 1194 # OpenVPN
pass in on $wireless_if inet proto tcp from any to $wireless_if port 80 # HTTP for SSH clients and key submissions
pass in on $wireless2_if from $wlan2 to any
block in on $wireless2_if from any to $lan
block in on $wireless2_if from any to $wlan

# setup authpf for guests on wifi
anchor "authpf/*"

# temp for Zach
#pass in on $wireless_if from 172.22.11.101 to any
#block in on $wireless_if from 172.22.11.101 to $lan
#pass in on $wireless_if proto tcp from 172.22.11.101 to $int_if port 3128
#pass in on $wireless_if proto udp from 172.22.11.101 to any port 53

#block ICMP redirects which can be used for man-in-the-middle attacks.
block in quick log on $ext_if inet proto icmp all icmp-type redir

#allow all ICMP (redirects are blocked above)
pass in inet proto icmp all 

# standard stuff that should not be allowed to come in from the int_ifernet
block in quick log on $ext_if from no-route to any	# blocks stuff comming in from non-routeable IPs
block in quick log on $ext_if from any to 255.255.255.255 # nothing should talk to broadcast
block in quick log on $ext_if from { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 255.255.255.255/32, 127.0.0.0/8 } to any # nothing should come from private blocks from the outside
block return out quick log on $ext_if from any to { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 255.255.255.255/32, 127.0.0.0/8 } # I shouldn't be trying to talk to private IPs on this int_iferface
block return in quick log on $int_if from any to 192.168.0.0/16 # something is still trying to talk to my old network

# re-invent the wheel called PeerGuardian2...
#table <pg2> persist file "/etc/pf/pg2.txt"
#block in quick log on $ext_if proto {tcp, udp} from <pg2> to {172.22.100.0/25, $ext_if} port !=25
#block return in quick log on $int_if proto {tcp udp} from $lunacy to <pg2>
##block return in quick log on $int_if proto tcp from $lunacy to <pg2> port 0:118
##block return in quick log on $int_if proto tcp from $lunacy to <pg2> port 120:65535
##block return in quick log on {$wireless_if $vpn_if} proto {tcp, udp} from any to <pg2>

# altq passes...
#pass out on $ext_if proto {tcp udp} from any port 6880:6889 to any queue p2p # BT
#pass out on $ext_if proto {tcp udp} from any to any port 6880:6889 queue p2p # BT
#pass out on $ext_if proto tcp from any to any port 5500 queue p2p # Hotline
pass out on $ext_if proto tcp from any port 25 to any queue mail # smtp
pass out on $ext_if proto tcp from any to any port 25 queue mail # smtp
pass out on $ext_if proto tcp from any port 8025 to any queue spam # spamd
pass out on $ext_if proto tcp from any to any port 22 queue (other, ssh) # ssh
pass out on $ext_if proto tcp from any to {216.52.162.126, 63.209.98.70, 66.194.200.14, 66.151.32.4, 69.5.0.0/19} port 2200 queue (other, ssh) # FQ routers ssh
pass out on $ext_if proto tcp from any to any port 23 queue ssh # telnet
pass out on $ext_if proto udp from any to any port 53 queue high # dns
pass out on $ext_if proto {tcp udp} from any to 128.227.205.3 port 123 queue high # ntp
pass out on $ext_if proto tcp from any to 69.5.6.117 port 6994 queue high # FQ IRCS
pass out on $ext_if proto tcp from any to any port 6667 queue high # IRC
pass out on $ext_if proto udp from any to any port 4569 queue voip # IAX
pass out on $ext_if proto udp from any port 4569 to any queue voip # IAX
pass out on $ext_if proto udp from any to any port 5060 queue voip # SIP
pass out on $ext_if proto udp from any port 5060 to any queue voip # SIP
pass out on $ext_if from any to { 208.139.204.232, 207.174.202.0/24, 63.211.239.0/24, 70.42.223.0/24, 64.74.188.0/24, 8.17.37.0/24, 8.14.120.0/24 } queue voip # Teliax
pass in on $ext_if proto udp from { 208.139.204.232, 207.174.202.0/24, 63.211.239.0/24, 70.42.223.0/24, 64.74.188.0/24, 8.17.37.0/24, 8.14.120.0/24 } to $asylum port 33430:33439 queue voip # Teliax
pass out on $ext_if proto udp from any to 69.5.6.162 queue voip # iago.futurequest.net
pass out on $ext_if proto tcp from any to 69.5.6.162 port != 22 queue voip # iago.futurequest.net
pass out on $ext_if proto tcp from any port {80, 443} to any queue web_serv # http

# for ICQ.  pass in a bunch of stupid ports that it uses.  What idiot thought
# that it was a good idea to use stateless UDP for the state connection?
#pass in on $ext_if proto {tcp,udp} from any to any port {4000,33000}

# BT
#pass in on $ext_if proto tcp from any to any port 6880:6889 queue p2p

# ports for vnc
#pass in on $ext_if proto tcp from any to any port 5800  
#pass in on $ext_if proto tcp from any to any port 5900  

# special settings for ssh connections.  Only allow 20 connections from any 1 IP
# Also, firewall off any IP that makes more than 10 connections in 5 seconds.
pass in on $ext_if proto tcp from any to any port 22 synproxy state \
  (max-src-conn 20, max-src-conn-rate 10/5, overload <badguys> flush global) queue (other, ssh)

# services allowed in either to localhost or redirected to my server.
pass in on $ext_if proto tcp from any to any port {80, 81, 8080, 8000} synproxy state queue web_serv	# http
pass in on $ext_if proto tcp from any to any port 25 synproxy state queue mail	# smtp
pass in on $ext_if proto tcp from any to any port 8025 queue spam	# spamd
#pass in on $ext_if proto tcp from any to any port 209 synproxy state	# qmtp
pass in on $ext_if proto udp from any to any port 53 queue ssh	# dns
pass in on $ext_if proto tcp from any to any port 53 queue ssh	# dns
#pass in on $ext_if proto tcp from any to any port 6667 queue high	# irc
pass in log on $ext_if proto tcp from any to any port 79 queue p2p	# fingerd (not really)
pass in log on $ext_if proto tcp from any to any port 23 queue p2p	# telnetd (not really)
#pass in on $ext_if proto udp from any to any port 68 # dhcp (don't need anymore because my IP is static)
#pass in on $ext_if proto tcp from any to any port 5500 queue p2p	# hotline
pass in on $ext_if proto udp from any to any port 4569 queue voip	# asterisk iax
pass in on $ext_if proto udp from any to any port 5060 queue voip	# asterisk sip
pass in on $ext_if proto udp from any to any port 1194 queue high	# OpenVPN
pass in log on $ext_if proto tcp from any to $wireless_if port 80 queue other	# wifi access page demo

# allow outbound smtp traffic from my server only.  This prevents spam zombies.
block in log on {$int_if $wireless_if $wireless2_if $vpn_if} proto tcp from any to !$asylum port 25 
pass in on $int_if proto tcp from $asylum to any port 25 queue mail

## good IP - use this to temporarily whitelist someone completely
#pass in on $ext_if proto tcp from [IP] to any

## bad IP - use this to temporarily blacklist someone completely
block in log on $ext_if from <badguys> to any
#block in log on $ext_if from [IP] to any
block return in log on $int_if from any to 130.239.17.6

# stuff that I want to block but not log since there seems to be tons of it.
block return in on $ext_if proto tcp from any to any port 113	# identd
block in on $ext_if proto {tcp, udp} from any to any port 445	# ms smb

# I don't allow my windows box out on tcp/80.  I don't surf from it anyways and
# this prevents most adware/spyware from working.  I  use my proxy server if I
# wanted to surf anyways.
block return in log on {$int_if $wireless_if $vpn_if} proto tcp from any os "Windows" to any
# block lunacy specificly as well
#block return in log on $int_if proto tcp from $lunacy to any
# allow them to talk to hellmouth itself (including the proxy services)
#pass in on $int_if proto {tcp, udp} from {$lunacy $lunatic} to $int_if
pass in on {$int_if $wireless_if $wireless2_if $vpn_if} inet proto {tcp, udp} from any os "Windows" to $int_if
# Allow Windows to talk USENET
pass out on $ext_if proto tcp from any to any port {119, 563} queue usenet # NNTP
pass in on $int_if proto tcp from $lunatic to any port {119, 563} queue usenet # NNTP
# Allow NewsRover search function
pass in on $int_if proto tcp from $lunatic to 70.43.164.213 port 26 queue usenet # NR search
# for AVG updates on windows
# allowing tcp/80 stuff from windows box to certain places because it isn't normally
# allowed to talk out on tcp/80.
#pass in on $int_if proto tcp from any to 193.86.3.0/24 port 80  
# for ad-aware updates on windows
pass in on $int_if proto tcp from any to 66.117.38.101 port 80  

# ports for emule redirected above
#pass in on $ext_if proto tcp from any to $lunacy port {4662, 4672, 4666, 39549} queue p2p
#pass in on $ext_if proto udp from any to $lunacy port {4665, 6275, 2955, 6279, 4666, 7821, 7825, 3054, 4672, 22738} queue p2p
#pass in on $ext_if proto udp from any to $lunacy port > 50000 queue p2p
#pass out on $ext_if proto {tcp udp} from $lunacy to any port 50000:65535 queue p2p # emule
#pass out on $ext_if proto tcp from $lunacy to any port {4661, 4662, 39549} queue p2p # emule
#pass out on $ext_if proto tcp from $lunacy port {4661, 4662, 39549} to any queue p2p # emule
#pass out on $ext_if proto udp from $lunacy to any port {4672, 4675, 5672, 4665, 22738}  queue p2p # emule
#pass out on $ext_if proto udp from $lunacy port {4672, 4675, 5672, 4665, 22738} to any  queue p2p # emule
#pass in on $int_if proto {tcp udp} from $lunacy to any port 50000:65535 queue p2p # emule
#pass in on $int_if proto tcp from $lunacy to any port {4661, 4662, 39549} queue p2p # emule
#pass in on $int_if proto tcp from $lunacy port {4661, 4662, 39549} to any queue p2p # emule
#pass in on $int_if proto udp from $lunacy to any port {4672, 4675, 5672, 4665, 22738}  queue p2p # emule
#pass in on $int_if proto udp from $lunacy port {4672, 4675, 5672, 4665, 22738} to any  queue p2p # emule


# block windows crap in both directions without logging it
block return out quick on $ext_if proto {tcp, udp} from any to any port {135:140, 42}
block in quick on $ext_if proto {tcp, udp} from any to any port {135:140, 42}

# snag all the emule traffic not already tagged...
#pass out on $ext_if proto udp from any to any  queue p2p # udp from lunacy
#pass in on $int_if proto {tcp,udp} from $lunacy to !172.22.100.1 port !80 queue p2p
pass in on $int_if proto udp from $lunacy to any queue p2p