1.3 KiB
| title | description | tags | ||
|---|---|---|---|---|
| pf.conf | The template I use on new installations |
|
pf.conf
The open ports list is refined depending on the usage obviously, and not all servers listen for wireguard... It is just a template :
{{< highlight conf >}} vpns="{ wg0 }"
table const { self } table const { 10/8, 172.16/12, 192.168/16, fd00::/8 fe80::/10 } table const { 0.0.0.0/0, !10/8, !172.16/12, !192.168/16, ::/0, fe80::/10, !fd00::/8 }
Basic rules
set skip on lo set syncookies adaptive (start 25%, end 12%) set block-policy return block drop in log quick from urpf-failed label uRPF block return log
This firewall
block drop in on egress pass in on egress proto { icmp, icmp6 } from to pass in on egress proto tcp from to port { http, https, imaps, smtp, smtps, ssh, submission } pass out from to any
VPNs
pass in on egress proto udp from to port 342 pass in on $vpns from to
Openbsd stock rules
By default, do not permit remote connections to X11
block return in on ! lo0 proto tcp to port 6000:6010
Port build user does not need network
block return out log proto {tcp udp} user _pbuild {{< /highlight >}}