Current File : //proc/thread-self/root/backups/router/tmp/rules.debug.old
set limit table-entries 1000000
set optimization normal
set timeout { adaptive.start 0, adaptive.end 0 }
set limit states 1624000
set limit src-nodes 1624000
set hostid 0x5fb78a44
set debug urgent
# User Aliases
mrazitko_public = "{ 22 25 80 110 143 443 445 587 993 995 8090 }"
table <BL_spamhaus> counters persist
BL_spamhaus = "<BL_spamhaus>"
table <bogons> persist file "/usr/local/etc/bogons"
bogons = "<bogons>"
table <bogonsv6>
bogonsv6 = "<bogonsv6>"
table <virusprot> persist
virusprot = "<virusprot>"
table <sshlockout> persist
sshlockout = "<sshlockout>"
table <__wan_network> persist
__wan_network = "<__wan_network>"
table <__lan_network> persist
__lan_network = "<__lan_network>"
table <__lo0_network> persist
__lo0_network = "<__lo0_network>"
table <__openvpn_network> persist
__openvpn_network = "<__openvpn_network>"
# Plugins tables
set loginterface igb0
set skip on lo0
set skip on pfsync0
scrub in all
# NAT Redirects
no nat proto carp all
no rdr proto carp all
# [prio: 200]
nat on em0 inet from (igb0:network) to any port 500 -> (em0:0) static-port # Automatic outbound rule
nat on em0 inet from (lo0:network) to any port 500 -> (em0:0) static-port # Automatic outbound rule
nat on em0 inet from 127.0.0.0/8 to any port 500 -> (em0:0) static-port # Automatic outbound rule
nat on em0 inet from (igb0:network) to any -> (em0:0) port 1024:65535 # Automatic outbound rule
nat on em0 inet from (lo0:network) to any -> (em0:0) port 1024:65535 # Automatic outbound rule
nat on em0 inet from 127.0.0.0/8 to any -> (em0:0) port 1024:65535 # Automatic outbound rule
# [prio: 300]
no rdr on igb0 proto tcp to {(igb0)} port {22} # Anti lockout, prevent redirects for protected ports to this interface ip
no rdr on igb0 proto tcp to {(igb0)} port {80} # Anti lockout, prevent redirects for protected ports to this interface ip
no rdr on igb0 proto tcp to {(igb0)} port {443} # Anti lockout, prevent redirects for protected ports to this interface ip
# [prio: 500]
# binat on em0 from 10.27.27.5/32 to any -> 178.72.246.202/32 # mrazitko
# [prio: 600]
rdr on em0 inet proto tcp from {any} to {(em0)} port $mrazitko_public -> 10.27.27.5
nat on em0 inet proto tcp from (em0:network) to {10.27.27.5} -> (em0) port 1024:65535
rdr on igb0 inet proto tcp from {any} to {(em0)} port $mrazitko_public -> 10.27.27.5
nat on igb0 inet proto tcp from (igb0:network) to {10.27.27.5} -> (igb0) port 1024:65535
rdr on lo0 inet proto tcp from {any} to {(em0)} port $mrazitko_public -> 10.27.27.5
nat on lo0 inet proto tcp from (lo0:network) to {10.27.27.5} -> (lo0) port 1024:65535
rdr on em0 inet proto tcp from {any} to {(em0)} port {8745} -> 10.27.27.4 port 8745
nat on em0 inet proto tcp from (em0:network) to {10.27.27.4} port {8745} -> (em0) port 1024:65535
rdr on igb0 inet proto tcp from {any} to {(em0)} port {8745} -> 10.27.27.4 port 8745
nat on igb0 inet proto tcp from (igb0:network) to {10.27.27.4} port {8745} -> (igb0) port 1024:65535
rdr on lo0 inet proto tcp from {any} to {(em0)} port {8745} -> 10.27.27.4 port 8745
nat on lo0 inet proto tcp from (lo0:network) to {10.27.27.4} port {8745} -> (lo0) port 1024:65535
rdr on em0 inet proto tcp from {any} to {(em0)} port {12546} -> 10.27.27.7 port 12546
nat on em0 inet proto tcp from (em0:network) to {10.27.27.7} port {12546} -> (em0) port 1024:65535
rdr on igb0 inet proto tcp from {any} to {(em0)} port {12546} -> 10.27.27.7 port 12546
nat on igb0 inet proto tcp from (igb0:network) to {10.27.27.7} port {12546} -> (igb0) port 1024:65535
rdr on lo0 inet proto tcp from {any} to {(em0)} port {12546} -> 10.27.27.7 port 12546
nat on lo0 inet proto tcp from (lo0:network) to {10.27.27.7} port {12546} -> (lo0) port 1024:65535
antispoof log for igb0
antispoof log for em0
# [prio: 1]
# block in log quick inet6 from {any} to {any} label "6ca899626357abaf2c44d981c904b5c5" # Block all IPv6
block in log inet from {any} to {any} label "02f4bab031b57d1e30553ce08e0ec131" # Default deny / state violation rule
block in log inet6 from {any} to {any} label "02f4bab031b57d1e30553ce08e0ec131" # Default deny / state violation rule
pass in log quick inet6 proto ipv6-icmp from {any} to {any} icmp6-type {1,2,135,136} keep state label "09af71b030142498e74912f2a9231e00" # IPv6 RFC4890 requirements (ICMP)
pass out log quick inet6 proto ipv6-icmp from {(self)} to {fe80::/10} icmp6-type {128,129,133,134,135,136} keep state label "247d6ba2cf9b0caa4e483f8f98f7a480" # IPv6 RFC4890 requirements (ICMP)
pass out log quick inet6 proto ipv6-icmp from {(self)} to {ff02::/16} icmp6-type {128,129,133,134,135,136} keep state label "247d6ba2cf9b0caa4e483f8f98f7a480" # IPv6 RFC4890 requirements (ICMP)
pass in log quick inet6 proto ipv6-icmp from {fe80::/10} to {fe80::/10} icmp6-type {128,133,134,135,136} keep state label "27d6e2944dd9de7c2bc048c4d1e9ad96" # IPv6 RFC4890 requirements (ICMP)
pass in log quick inet6 proto ipv6-icmp from {fe80::/10} to {ff02::/16} icmp6-type {128,133,134,135,136} keep state label "27d6e2944dd9de7c2bc048c4d1e9ad96" # IPv6 RFC4890 requirements (ICMP)
pass in log quick inet6 proto ipv6-icmp from {ff02::/16} to {fe80::/10} icmp6-type {128,133,134,135,136} keep state label "9d29c2425a82c03746ea76b6cbdaa92e" # IPv6 RFC4890 requirements (ICMP)
pass in log quick inet6 proto ipv6-icmp from {::} to {ff02::/16} icmp6-type {128,133,134,135,136} keep state label "8f5ab8e9f0470eb9496ed94ec777ecf6" # IPv6 RFC4890 requirements (ICMP)
block in log quick inet proto {tcp udp} from {any} port {0} to {any} label "7b5bdc64d7ae74be1932f6764a591da5" # block all targeting port 0
block in log quick inet6 proto {tcp udp} from {any} port {0} to {any} label "7b5bdc64d7ae74be1932f6764a591da5" # block all targeting port 0
block in log quick inet proto {tcp udp} from {any} to {any} port {0} label "ae69f581dc429e3484a65f8ecd63baa5" # block all targeting port 0
block in log quick inet6 proto {tcp udp} from {any} to {any} port {0} label "ae69f581dc429e3484a65f8ecd63baa5" # block all targeting port 0
block in log quick proto tcp from {<sshlockout>} to {(self)} port {22} label "669143f420c3ab4118bcb0bf4b5fd823" # sshlockout
block in log quick proto tcp from {<sshlockout>} to {(self)} port {443} label "6baefc2a9cf2536834c092a51134a45c" # sshlockout
block in log quick from {<virusprot>} to {any} label "8e367e2f9944d93137ae56d788c5d5e1" # virusprot overload table
pass in log quick on igb0 proto udp from {any} port {68} to {255.255.255.255} port {67} label "5168be2cca1e130b1ef2ac18161356a8" # allow access to DHCP server
pass in log quick on igb0 proto udp from {any} port {68} to {(self)} port {67} label "0b032d1bab91fc97e4a7faf03a7f17c3" # allow access to DHCP server
pass out log quick on igb0 proto udp from {(self)} port {67} to {any} port {68} label "5039e43005a9aa50eb032af274cc9aad" # allow access to DHCP server
pass in log quick on igb0 inet6 proto udp from {fe80::/10} to {fe80::/10} port {546} label "fef3d333d96a8d3558956de1fffc61cc" # allow access to DHCPv6 server on LAN
pass in log quick on igb0 inet6 proto udp from {fe80::/10} to {ff02::/16} port {546} label "fef3d333d96a8d3558956de1fffc61cc" # allow access to DHCPv6 server on LAN
pass in log quick on igb0 inet6 proto udp from {fe80::/10} to {ff02::/16} port {547} label "d2bd536587a9f5680c1f850b2d346839" # allow access to DHCPv6 server on LAN
pass in log quick on igb0 inet6 proto udp from {ff02::/16} to {fe80::/10} port {547} label "3420206ced96c01ef73fbc4ac9deb745" # allow access to DHCPv6 server on LAN
pass in log quick on igb0 inet6 proto udp from {fe80::/10} to {(self)} port {546} label "0fd202708c326aebbe44ab710b6d3652" # allow access to DHCPv6 server on LAN
pass out log quick on igb0 inet6 proto udp from {(self)} port {547} to {fe80::/10} label "83f6c28de8efae9b444094e4a5bf898c" # allow access to DHCPv6 server on LAN
pass in log quick on em0 proto udp from {any} to {fe80::/10} port {546} label "dd8286ff6bd92ea385227e7803c07646" # allow dhcpv6 client in WAN
pass out log quick on em0 proto udp from {fe80::/10} port {546} to {fe80::/10} port {547} label "804495ccfd5c09b17e72422cc30c23d8" # allow dhcpv6 client out WAN
pass out log quick on em0 proto udp from {fe80::/10} port {546} to {ff02::/16} port {547} label "804495ccfd5c09b17e72422cc30c23d8" # allow dhcpv6 client out WAN
pass in log quick on em0 proto udp from {any} port {67} to {any} port {68} label "f994f615e00b8be0042263f86c79913f" # allow DHCP client on WAN
pass out log quick on em0 proto udp from {any} port {68} to {any} port {67} label "5cf7ab808da1fcbca1ddb9ba9b46b669" # allow DHCP client on WAN
# [prio: 5]
# block in log quick on igb0 inet from {<bogons>} to {any} label "bf8a7b329d048c5183805d4f016fede9" # Block bogon IPv4 networks from LAN
# block in log quick on igb0 inet6 from {<bogonsv6>} to {any} label "14dde492ca55ec468310c537f693dc8f" # Block bogon IPv6 networks from LAN
# block in log quick on igb0 inet from {10.0.0.0/8} to {any} label "59eaa3b97b11c51ddfce6afe4f71eeb8" # Block private networks from LAN
# block in log quick on igb0 inet from {127.0.0.0/8} to {any} label "59eaa3b97b11c51ddfce6afe4f71eeb8" # Block private networks from LAN
# block in log quick on igb0 inet from {100.64.0.0/10} to {any} label "59eaa3b97b11c51ddfce6afe4f71eeb8" # Block private networks from LAN
# block in log quick on igb0 inet from {172.16.0.0/12} to {any} label "59eaa3b97b11c51ddfce6afe4f71eeb8" # Block private networks from LAN
# block in log quick on igb0 inet from {192.168.0.0/16} to {any} label "59eaa3b97b11c51ddfce6afe4f71eeb8" # Block private networks from LAN
# block in log quick on igb0 inet6 from {fc00::/7} to {any} label "b41015c9cba1b7ab9fa566f6ee78f58c" # Block private networks from LAN
# block in log quick on lo0 inet from {<bogons>} to {any} label "ea4c1d75c7d0d4ee589a59cc88870f11" # Block bogon IPv4 networks from Loopback
# block in log quick on lo0 inet6 from {<bogonsv6>} to {any} label "509540f44cde74df1d28e2bc76b0a691" # Block bogon IPv6 networks from Loopback
# block in log quick on lo0 inet from {10.0.0.0/8} to {any} label "9d59048c2ca76128e62ef15066bef954" # Block private networks from Loopback
# block in log quick on lo0 inet from {127.0.0.0/8} to {any} label "9d59048c2ca76128e62ef15066bef954" # Block private networks from Loopback
# block in log quick on lo0 inet from {100.64.0.0/10} to {any} label "9d59048c2ca76128e62ef15066bef954" # Block private networks from Loopback
# block in log quick on lo0 inet from {172.16.0.0/12} to {any} label "9d59048c2ca76128e62ef15066bef954" # Block private networks from Loopback
# block in log quick on lo0 inet from {192.168.0.0/16} to {any} label "9d59048c2ca76128e62ef15066bef954" # Block private networks from Loopback
# block in log quick on lo0 inet6 from {fc00::/7} to {any} label "e0abd0daa005c9bd545c57004e7c1603" # Block private networks from Loopback
# block in log quick on openvpn inet from {<bogons>} to {any} label "27cd8f64c4465679bd478bd7aec8646a" # Block bogon IPv4 networks from OpenVPN
# block in log quick on openvpn inet6 from {<bogonsv6>} to {any} label "e62999aed0dede04f378432b2c8b7fa7" # Block bogon IPv6 networks from OpenVPN
# block in log quick on openvpn inet from {10.0.0.0/8} to {any} label "d7a184385814e3ee66552f7d862ed84a" # Block private networks from OpenVPN
# block in log quick on openvpn inet from {127.0.0.0/8} to {any} label "d7a184385814e3ee66552f7d862ed84a" # Block private networks from OpenVPN
# block in log quick on openvpn inet from {100.64.0.0/10} to {any} label "d7a184385814e3ee66552f7d862ed84a" # Block private networks from OpenVPN
# block in log quick on openvpn inet from {172.16.0.0/12} to {any} label "d7a184385814e3ee66552f7d862ed84a" # Block private networks from OpenVPN
# block in log quick on openvpn inet from {192.168.0.0/16} to {any} label "d7a184385814e3ee66552f7d862ed84a" # Block private networks from OpenVPN
# block in log quick on openvpn inet6 from {fc00::/7} to {any} label "e830e03cba3eda2f1fcd764e40d33f4e" # Block private networks from OpenVPN
# block in log quick on em0 inet from {<bogons>} to {any} label "a785cde4d07ef9d5492b2752d6f3674c" # Block bogon IPv4 networks from WAN
# block in log quick on em0 inet6 from {<bogonsv6>} to {any} label "1abb3c3b8584670c042452464f78d963" # Block bogon IPv6 networks from WAN
# block in log quick on em0 inet from {10.0.0.0/8} to {any} label "b6e046ea0da3e8b5479bb57aa34db5b1" # Block private networks from WAN
# block in log quick on em0 inet from {127.0.0.0/8} to {any} label "b6e046ea0da3e8b5479bb57aa34db5b1" # Block private networks from WAN
# block in log quick on em0 inet from {100.64.0.0/10} to {any} label "b6e046ea0da3e8b5479bb57aa34db5b1" # Block private networks from WAN
# block in log quick on em0 inet from {172.16.0.0/12} to {any} label "b6e046ea0da3e8b5479bb57aa34db5b1" # Block private networks from WAN
# block in log quick on em0 inet from {192.168.0.0/16} to {any} label "b6e046ea0da3e8b5479bb57aa34db5b1" # Block private networks from WAN
# block in log quick on em0 inet6 from {fc00::/7} to {any} label "fb42f48e27b4fd4647cd998434aea4d7" # Block private networks from WAN
pass out log from {any} to {any} keep state allow-opts label "fae559338f65e11c53669fc3642c93c2" # let out anything from firewall host itself
pass in log quick on igb0 proto tcp from {any} to {(self)} port {22} keep state label "60533d555322b9f6a009f71c1c471480" # anti-lockout rule
pass in log quick on igb0 proto tcp from {any} to {(self)} port {80} keep state label "01e83daa25c4483dee217a7ecd7c9a88" # anti-lockout rule
pass in log quick on igb0 proto tcp from {any} to {(self)} port {443} keep state label "3345e04986bd5750d23b77cbbb21271f" # anti-lockout rule
# [prio: 100000]
pass out log route-to ( em0 178.72.246.201 ) from {(em0)} to {!(em0:network)} keep state allow-opts label "49484b4b90e87d327015604798f010e9" # let out anything from firewall host itself (force gw)
# [prio: 200000]
block log quick on igb0 inet from {any} to $BL_spamhaus label "16f1e34c403a8937ad744bbe07b3fbcd" # Blacklist out
block log quick on igb0 inet6 from {any} to $BL_spamhaus label "16f1e34c403a8937ad744bbe07b3fbcd" # Blacklist out
block log quick on em0 inet from {any} to $BL_spamhaus label "16f1e34c403a8937ad744bbe07b3fbcd" # Blacklist out
block log quick on em0 inet6 from {any} to $BL_spamhaus label "16f1e34c403a8937ad744bbe07b3fbcd" # Blacklist out
block log quick on igb0 inet from $BL_spamhaus to {any} label "5c8bf10db0c2d7532709c63ae0cc2dd8" # Blacklist in
block log quick on igb0 inet6 from $BL_spamhaus to {any} label "5c8bf10db0c2d7532709c63ae0cc2dd8" # Blacklist in
block log quick on em0 inet from $BL_spamhaus to {any} label "5c8bf10db0c2d7532709c63ae0cc2dd8" # Blacklist in
block log quick on em0 inet6 from $BL_spamhaus to {any} label "5c8bf10db0c2d7532709c63ae0cc2dd8" # Blacklist in
# [prio: 300010]
pass in log quick on openvpn inet from {10.27.28.0/24} to {any} keep state label "6c77ef0e529f2763ba84415551f95081" # Allow VPN
# [prio: 400000]
pass in quick on em0 reply-to ( em0 178.72.246.201 ) inet from {any} to {any} keep state label "6f74e4ebce6bb847de9bdef1fa668ee2"
pass in quick on em0 inet6 from {any} to {any} keep state label "6f74e4ebce6bb847de9bdef1fa668ee2"
pass in quick on em0 reply-to ( em0 178.72.246.201 ) inet proto tcp from {any} to {10.27.27.5} port $mrazitko_public keep state label "031a1b174ebf7e66570e8d155fc76b16"
pass in quick on em0 reply-to ( em0 178.72.246.201 ) inet proto tcp from {any} to {10.27.27.4} port {8745} keep state label "3b6d0cfea43756fcc81925350dfe94b9"
pass in quick on em0 reply-to ( em0 178.72.246.201 ) inet proto tcp from {any} to {10.27.27.7} port {12546} keep state label "75ef2a52e7834198198a679db3ab529a"
pass in quick on igb0 inet from {(igb0:network)} to {any} label "741d83dd9326e88f33e5cac5a130938d" # Default allow LAN to any rule
pass in quick on igb0 inet6 from {(igb0:network),fe80::/10} to {any} label "1508fa2eb79bb93a29d3139f87409696" # Default allow LAN IPv6 to any rule
Mini Shell