aboutsummaryrefslogtreecommitdiff
path: root/content/docs
diff options
context:
space:
mode:
authorJulien Dessaux2022-05-23 18:11:56 +0200
committerJulien Dessaux2022-05-23 18:11:56 +0200
commit1577007f83a3d3210bc1280cc324702a8fe0002c (patch)
tree97b15a1096ddc03acbe04e985a8124ca0588cb54 /content/docs
parentUpdated dependencies (diff)
downloadwww-1577007f83a3d3210bc1280cc324702a8fe0002c.tar.gz
www-1577007f83a3d3210bc1280cc324702a8fe0002c.tar.bz2
www-1577007f83a3d3210bc1280cc324702a8fe0002c.zip
Updated freebsd pf article
Diffstat (limited to 'content/docs')
-rw-r--r--content/docs/freebsd/pf.md21
1 files changed, 15 insertions, 6 deletions
diff --git a/content/docs/freebsd/pf.md b/content/docs/freebsd/pf.md
index d94db23..e6cf6e7 100644
--- a/content/docs/freebsd/pf.md
+++ b/content/docs/freebsd/pf.md
@@ -9,11 +9,9 @@ tags:
## pf.conf
-The open ports list is refined depending on the usage obviously... It is just a template :
+The open ports list is refined depending on the usage obviously... It is just a template:
```conf
-ext_if=vtnet0
-
scrub in all
table <jails> persist
@@ -22,17 +20,28 @@ table <private> const { 10/8, 172.16/12, 192.168/16, fd00::/8 fe80::/10 }
table <internet> const { 0.0.0.0/0, !10/8, !172.16/12, !192.168/16, ::/0, fe80::/10, !fd00::/8 }
##### Basic rules #####
-nat pass on $ext_if from <jails> to <internet> -> ($ext_if:0)
+nat pass on egress from <jails> to <internet> -> (egress:0)
rdr-anchor "rdr/*"
set skip on lo
block return log
##### This firewall #####
-block drop in on $ext_if
+block drop in on egress
pass inet proto icmp all icmp-type unreach code needfrag # MTU path discovery
pass inet proto icmp all icmp-type { echoreq, unreach } # echo reply
pass inet6 proto icmp6 all
-pass in on $ext_if proto tcp from <internet> to <myself> port { ssh, http, https, smtp, smtps, submission }
+pass in on egress proto tcp from <internet> to <myself> port { ssh, http, https, smtp, smtps, submission }
pass out from <myself> to any
+
+##### VPNs #####
+pass in on egress proto udp from <internet> to <myself> port 342
+pass in on wg0 from <private> to <myself>
+pass in on wg0 from <private> to <private>
+pass out on wg0 from <private> to <private>
+```
+
+A pre-requisite of this sample is to have set an `egress` group for your egress interface(s) like so in your `/etc/rc.conf`:
+```conf
+ifconfig_vtnet0="DHCP group egress"
```