132 lines
4.4 KiB
Text
132 lines
4.4 KiB
Text
\##########################################################################
|
|
## Modern configuration with multiple IPv4 + IPv6, Multicast Lockdown
|
|
## Multi-homed DNS lockdown, JS stack cache friendly, Redis Lockdown
|
|
#
|
|
## FreeBSD 14.0, Dragonfly BSD 6.4 compatible
|
|
#
|
|
## Unbound DNS with Quad9 DoT - Tertiary IPv6 ## UNCOMMENT for FreeBSD 14.1
|
|
## Localhost Redis DB
|
|
#
|
|
## Elias Christopher Griffin
|
|
## https://www.quadhelion.engineering
|
|
#
|
|
## LICENSE: CC BY-NC-SA 4.0
|
|
##
|
|
##########################################################################
|
|
|
|
##########################################################################
|
|
## Special thanks to https://forums.freebsd.org/members/mickey.4512/
|
|
##########################################################################
|
|
|
|
|
|
|
|
##########################################################################
|
|
## Macros
|
|
## CUSTOMIZE
|
|
##########################################################################
|
|
ext_if = "vio0"
|
|
ipv6 = "SET IP HERE"
|
|
ssh_port = "1974"
|
|
admin_ips = "{107.77.1.1 107.77.1.2}"
|
|
admin_ip_range = "107.77.1.1. - 107.77.254.254"
|
|
|
|
##########################################################################
|
|
## NO CUSTOMIZE ##
|
|
##
|
|
## IPv6 link-local, MC
|
|
##########################################################################
|
|
|
|
PFX_LNKLOC = "FE80::/10"
|
|
|
|
# IPv6 Solicited Node Multicast Prefix.
|
|
MC_SOLNOD = "FF02::1:FF00:0/104"
|
|
|
|
# IPv6 All Nodes Link Local Multicast Address.
|
|
MC_NODLNK = "FF02::1"
|
|
|
|
|
|
|
|
##########################################################################
|
|
## Basic policy
|
|
## IPv6 Link-Local, Multicast, bugs with no-df
|
|
## Big Tech Email servers using 1460 sized segments
|
|
##########################################################################
|
|
scrub in all
|
|
|
|
|
|
|
|
##########################################################################
|
|
## Last rule wins, so start with blocking everything incoming
|
|
##########################################################################
|
|
# block in log all
|
|
|
|
|
|
|
|
##########################################################################
|
|
## Keep loopback fast, skipping filter
|
|
##########################################################################
|
|
set skip on lo
|
|
|
|
|
|
|
|
##########################################################################
|
|
## Allow all out from host itself
|
|
## Allow Time and DNS out, remove logs once tested working
|
|
##########################################################################
|
|
pass out inet all keep state
|
|
pass out log proto udp to port 123 keep state
|
|
|
|
|
|
## Allow Quad9 IPv6, DNS over TLS with ECS, stateful return
|
|
# pass out log on $ext_if proto { udp tcp } from $ipv6 to { 2620:fe::11, 2620:fe::fe:11 } port 853 keep state
|
|
|
|
|
|
|
|
##########################################################################
|
|
## Allow IPv6 Multicast, BGP
|
|
## Ping, traceroute disallowed
|
|
##########################################################################
|
|
pass inet6 proto ipv6-icmp all icmp6-type routeradv
|
|
pass inet6 proto ipv6-icmp all icmp6-type routersol
|
|
pass inet6 proto ipv6-icmp all icmp6-type neighbradv
|
|
pass inet6 proto ipv6-icmp all icmp6-type neighbrsol
|
|
|
|
|
|
# Allow NS from unspecified to solicited node multicast address (DAD)
|
|
pass quick inet6 proto icmp6 from :: to $MC_SOLNOD icmp6-type neighbrsol no state
|
|
|
|
|
|
# Allow IPv6 Router Discovery.
|
|
pass in quick inet6 proto icmp6 from $PFX_LNKLOC to $MC_NODLNK icmp6-type routeradv no state
|
|
|
|
|
|
# Allow IPv6 Neighbor Discovery (ND/NUD/DAD).
|
|
pass in quick inet6 proto icmp6 from { $PFX_LNKLOC, ($ext_if:network) } to { ($ext_if), $MC_SOLNOD } icmp6-type neighbrsol no state
|
|
pass in quick inet6 proto icmp6 from { $PFX_LNKLOC, ($ext_if:network) } to { ($ext_if), $MC_NODLNK } icmp6-type neighbradv no state
|
|
|
|
# Allow SSH
|
|
pass quick proto tcp from $admin_ips to port $ssh_port
|
|
|
|
##########################################################################
|
|
## Packet filtering
|
|
## Watch pf in realtime: $ tcpdump -n -e -ttt -i pflog0
|
|
## Correlate to rules: $ pfctl -vvsr
|
|
##########################################################################
|
|
antispoof log quick for $ext_if
|
|
|
|
|
|
## Block anything coming form source we have no back routes for
|
|
block drop in log from no-route to any
|
|
|
|
# Block outside access to Redis
|
|
block in log on ! lo0 proto tcp to port 6379
|
|
|
|
|
|
## Block packets whose ingress interface does not match the one
|
|
## the route back to their source address
|
|
block drop in log from urpf-failed to any
|
|
|
|
|
|
# By default, do not permit remote connections to X11
|
|
block return in log on ! lo0 proto tcp to port 6000:6010
|
|
|