Commit 98d760
2024-12-30 11:20:31 Steven Anderson: init| /dev/null .. ScriptFU/FreeBSD/pf.md | |
| @@ 0,0 1,45 @@ | |
| + | # pf |
| + | |
| + | #### view ssh blacklist |
| + | blacklistctl dump -b |
| + | |
| + | #### Activate pf and pflog |
| + | sysrc pf_enable=yes |
| + | sysrc pflog_enable=yes |
| + | service pf start |
| + | service pflog start |
| + | |
| + | #### View pflog |
| + | tcpdump -n -e -ttt -r /var/log/pflog |
| + | |
| + | #### Most Basic pf.conf |
| + | ```title="/etc/pf.conf" |
| + | ext_if="vtnet0" |
| + | |
| + | block in all |
| + | pass out all keep state |
| + | |
| + | pass in on $ext_if proto tcp to ($ext_if) port ssh |
| + | ``` |
| + | |
| + | #### Reasonable config for VPS with jail support |
| + | ``` |
| + | ext_if="vtnet0" |
| + | wg_if="wg0" |
| + | |
| + | set block-policy return |
| + | scrub in on $ext_if all fragment reassemble |
| + | set skip on lo |
| + | |
| + | table <jails> persist |
| + | nat on $ext_if from <jails> to any -> ($ext_if:0) |
| + | rdr-anchor "rdr/*" |
| + | |
| + | block in all |
| + | pass out quick keep state |
| + | antispoof for $ext_if inet |
| + | pass in inet proto tcp from any to any port ssh flags S/SA keep state |
| + | pass in inet proto tcp from any to any port 443 flags S/SA keep state |
| + | pass in quick inet proto icmp all |
| + | pass in on $wg_if from any to any |
| + | ``` |