# /etc/pf.conf # This is a configuration file for the PF packet filter # on a FreeBSD host system with jailed JonDonym mixes. # The ruleset collaborates with an additional fail2ban configuration. # The ruleset guards the host system as well as the jails. # Place the file as /etc/pf.conf in your host systems filesystem (not in a jail filesystem) # Please note all additional configuration needed to make this stuff run nice. # Please note that the ruleset below is only a first (rough) version which should get refined. ##### MACROS ##### # replace "em0" by the name of the ethernet adapter on your system ext_if="em0" local="lo0" # replace "123.123.123.123" by the IP address you use for your host system hostaddr="123.123.123.123" # jail IPs on this machine (macro not yet in use in this version) # replace the IP addresses below by the IPs you use for your mix jails jail1addr=123.123.123.124 jail2addr=123.123.123.125 # brute force ports, brute force prevention will apply to these ports # other ports will not be open according to the FreeBSD HowTo (see the wiki) bfports = "{ 22 }" icmp_types = "echoreq" ##### TABLES ##### # replace the IPs below by sources from which you need to reach your host system table { 111.111.0.0/16, 222.222.0.0/16, 123.123.123.10, 123.123.123.20, 123.123.123.30 } # /etc/pf.table.fail2ban is the textfile collecting all banned (foreign) IPs # Please note that content of this table needs to get saved to the table file by cronjob # in short intervalls (and vice versa needs to get reloaded). See the wiki for details. table persist file "/etc/pf.table.fail2ban" ##### RULES ##### # options set block-policy drop set skip on $local # normalization scrub in all # filtering: block all IPs from the blocklist without any further evaluation block in quick on $ext_if inet from ##### IN going traffic ##### # for SSH allow only hosts from the myhosts table pass in quick on $ext_if proto { tcp, udp } from to $hostaddr port 22 keep state # add IPs used for brute force attacks to table fail2ban, flush pass in on $ext_if proto tcp from any to any port $bfports flags S/SA keep state (max-src-conn 100, max-src-conn-rate 15/5, overload flush global) # allow ping (ICMP) pass in on $ext_if inet proto icmp all icmp-type $icmp_types keep state # allow traceroute (UDP) pass in on $ext_if inet proto udp from any to any port 33433 >< 33626 keep state ##### OUT going traffic ##### # no limitations for outgoing traffic this time pass out quick on $ext_if proto { tcp, udp } all pass out quick on $local proto { tcp, udp } all