PfSense configuration

From Mann Systems
Jump to: navigation, search

Annotated defaultish pf filter ruleset

scrub on igb0 all fragment reassemble
scrub on igb1 all fragment reassemble

anchor "relayd/*" all
anchor "openvpn/*" all
anchor "ipsec/*" all

# IPv4 link-local
block drop in log quick inet from 169.254.0.0/16 to any label "Block IPv4 link-local"
block drop in log quick inet from any to 169.254.0.0/16 label "Block IPv4 link-local"

# Default block rules
block drop in log inet all label "Default deny rule IPv4"
block drop out log inet all label "Default deny rule IPv4"
block drop in log inet6 all label "Default deny rule IPv6"
block drop out log inet6 all label "Default deny rule IPv6"

#### ICMPv6 ####
# Permit important ICMP6 anywhere
pass quick inet6 proto ipv6-icmp all icmp6-type unreach keep state
pass quick inet6 proto ipv6-icmp all icmp6-type toobig keep state
pass quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state
pass quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep state

# Permit outbound IPv6 from link-local to link-local
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echorep keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state

# Permit outbound IPv6 from link-local to multicast (link-local scope)
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echorep keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state

# Permit inbound IPv6 from link-local to link-local
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state

# Permit inbound IPv6 from multicast (link-local scope) to link-local
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type echoreq keep state
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routersol keep state
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routeradv keep state
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbrsol keep state
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbradv keep state

# Permit inbound IPv6 from link-local to multicast (link-local scope)
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echoreq keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state

# Permit inbound IPv6 from any to multicast (link-local scope)
pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type echoreq keep state
pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type routersol keep state
pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type routeradv keep state
pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type neighbrsol keep state
pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type neighbradv keep state

#### Blocking invalid traffic ####
# IPv4 from tcp/udp port 0
block drop log quick inet proto tcp from any port = 0 to any label "Block traffic from port 0"
block drop log quick inet proto udp from any port = 0 to any label "Block traffic from port 0"
# IPv4 to tcp/udp port 0
block drop log quick inet proto tcp from any to any port = 0 label "Block traffic to port 0"
block drop log quick inet proto udp from any to any port = 0 label "Block traffic to port 0"
# IPv6 from tcp/udp port 0
block drop log quick inet6 proto tcp from any port = 0 to any label "Block traffic from port 0"
block drop log quick inet6 proto udp from any port = 0 to any label "Block traffic from port 0"
# IPv6 to tcp/udp port 0
block drop log quick inet6 proto tcp from any to any port = 0 label "Block traffic to port 0"
block drop log quick inet6 proto udp from any to any port = 0 label "Block traffic to port 0"

# Block to and from addresses in pfSense specific tables
block drop log quick from <snort2c> to any label "Block snort2c hosts"
block drop log quick from any to <snort2c> label "Block snort2c hosts"
block drop in log quick proto tcp from <sshguard> to (self) port = ssh label "sshguard"
block drop in log quick proto tcp from <webConfiguratorlockout> to (self) port = https label "webConfiguratorlockout"
block drop in log quick from <virusprot> to any label "virusprot overload table"

# Permit inbound DHCP responses on WAN
pass in quick on igb0 proto udp from any port = bootps to any port = bootpc keep state label "allow dhcp client out WAN"
# Permit outbound DHCP requests on WAN
pass out quick on igb0 proto udp from any port = bootpc to any port = bootps keep state label "allow dhcp client out WAN"

# Block inbound traffic from bogons (IP ranges from which there should be no traffic)
block drop in log quick on igb0 from <bogons> to any label "block bogon IPv4 networks from WAN"
block drop in log quick on igb0 from <bogonsv6> to any label "block bogon IPv6 networks from WAN"

# Block inbound traffic from WAN subnet on any other interface than WAN
block drop in log on ! igb0 inet from (wan_subnet/mask) to any
# Block inbound from WAN interface addresses
block drop in log inet from (wan_ip4) to any
block drop in log on igb0 inet6 from (wan_ip6_linklocal) to any

# Block inbound traffic on WAN interface from loopback, RFC1918 ranges, IPv6 Unique Local Addresses
block drop in log quick on igb0 inet from 10.0.0.0/8 to any label "Block private networks from WAN block 10/8"
block drop in log quick on igb0 inet from 127.0.0.0/8 to any label "Block private networks from WAN block 127/8"
block drop in log quick on igb0 inet from 172.16.0.0/12 to any label "Block private networks from WAN block 172.16/12"
block drop in log quick on igb0 inet from 192.168.0.0/16 to any label "Block private networks from WAN block 192.168/16"
block drop in log quick on igb0 inet6 from fc00::/7 to any label "Block ULA networks from WAN block fc00::/7"

# Block inbound traffic from LAN IP ranges on any other interface than LAN
block drop in log on ! igb1 inet from 192.168.128.0/24 to any
block drop in log inet from 192.168.128.1 to any
block drop in log on igb1 inet6 from fe80::230:18ff:fe03:f29 to any

# Permit inbound DHCP requests and outbound DHCP responses on LAN interface
pass in quick on igb1 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
pass in quick on igb1 inet proto udp from any port = bootpc to 192.168.128.1 port = bootps keep state label "allow access to DHCP server"
pass out quick on igb1 inet proto udp from 192.168.128.1 port = bootps to any port = bootpc keep state label "allow access to DHCP server"

# Permit all on loopback interfaces
pass in on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
pass out on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
pass in on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
pass out on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"

# Permit outbound traffic
pass out inet all flags S/SA keep state allow-opts label "let out anything IPv4 from firewall host itself"
pass out inet6 all flags S/SA keep state allow-opts label "let out anything IPv6 from firewall host itself"
pass out route-to (WANIF WANGATEWAY) inet from WANIP to ! WANSUBNET/MASK flags S/SA keep state allow-opts label "let out anything from firewall host itself"

# Permit access to HTTP/HTTPS/SSH on LAN interface
pass in quick on igb1 proto tcp from any to (igb1) port = https flags S/SA keep state label "anti-lockout rule"
pass in quick on igb1 proto tcp from any to (igb1) port = http flags S/SA keep state label "anti-lockout rule"
pass in quick on igb1 proto tcp from any to (igb1) port = ssh flags S/SA keep state label "anti-lockout rule"

anchor "userrules/*" all

# Permit inbound on LAN interface from LAN subnet to any
pass in quick on igb1 inet from 192.168.128.0/24 to any flags S/SA keep state label "USER_RULE: Default allow LAN to any rule"

# Permit traffic for port forwards
pass in quick on igb0 reply-to (WANIF WANGATEWAY) inet proto tcp from any to 192.168.128.10 port = ssh flags S/SA keep state label "USER_RULE: NAT Port forward to host1 ssh"
pass in quick on igb0 reply-to (WANIF WANGATEWAY) inet proto tcp from any to 192.168.128.11 port = ssh flags S/SA keep state label "USER_RULE: NAT Port forward to host2 ssh"

anchor "tftp-proxy/*" all