Blame
| 98d760 | Steven Anderson | 2024-12-30 11:20:31 | 1 | # pf |
| 2 | ||||
| 3 | #### view ssh blacklist |
|||
| 4 | blacklistctl dump -b |
|||
| 5 | ||||
| 6 | #### Activate pf and pflog |
|||
| 7 | sysrc pf_enable=yes |
|||
| 8 | sysrc pflog_enable=yes |
|||
| 9 | service pf start |
|||
| 10 | service pflog start |
|||
| 11 | ||||
| 12 | #### View pflog |
|||
| 13 | tcpdump -n -e -ttt -r /var/log/pflog |
|||
| 14 | ||||
| 15 | #### Most Basic pf.conf |
|||
| 16 | ```title="/etc/pf.conf" |
|||
| 17 | ext_if="vtnet0" |
|||
| 18 | ||||
| 19 | block in all |
|||
| 20 | pass out all keep state |
|||
| 21 | ||||
| 22 | pass in on $ext_if proto tcp to ($ext_if) port ssh |
|||
| 23 | ``` |
|||
| 24 | ||||
| 25 | #### Reasonable config for VPS with jail support |
|||
| 26 | ``` |
|||
| 27 | ext_if="vtnet0" |
|||
| 28 | wg_if="wg0" |
|||
| 29 | ||||
| 30 | set block-policy return |
|||
| 31 | scrub in on $ext_if all fragment reassemble |
|||
| 32 | set skip on lo |
|||
| 33 | ||||
| 34 | table <jails> persist |
|||
| 35 | nat on $ext_if from <jails> to any -> ($ext_if:0) |
|||
| 36 | rdr-anchor "rdr/*" |
|||
| 37 | ||||
| 38 | block in all |
|||
| 39 | pass out quick keep state |
|||
| 40 | antispoof for $ext_if inet |
|||
| 41 | pass in inet proto tcp from any to any port ssh flags S/SA keep state |
|||
| 42 | pass in inet proto tcp from any to any port 443 flags S/SA keep state |
|||
| 43 | pass in quick inet proto icmp all |
|||
| 44 | pass in on $wg_if from any to any |
|||
| 45 | ``` |