From 0a9954fc97333888e397f89ee52cb001a6312170 Mon Sep 17 00:00:00 2001
From: mykola2312 <49044616+mykola2312@users.noreply.github.com>
Date: Sun, 6 Oct 2024 05:06:18 +0300
Subject: [PATCH] MASSIVE improvement of PF rules

---
 pf.conf   | 18 +++++++-----------
 smb4.conf |  2 ++
 2 files changed, 9 insertions(+), 11 deletions(-)

diff --git a/pf.conf b/pf.conf
index cd073f1..64be23b 100644
--- a/pf.conf
+++ b/pf.conf
@@ -21,8 +21,6 @@ nat on wlan0 from $vm_if:network to any -> (wlan0)
 nat on ue0 from $vm_if:network to any -> (ue0)
 
 # filter
-## allow any outgoing traffic
-pass out on pf_strict from any to any
 ## allow ICMP pings
 pass in on $pf_strict inet proto icmp all icmp-type $icmp_types
 # services (ssh, nfs, smb)
@@ -34,13 +32,11 @@ udp_services = "{ nfsd rpcbind 711 957 22000 }"
 ## DHCP
 pass in quick on $pf_strict inet proto tcp from any port 67:68 to any port { 67 68 } keep state flags S/SA
 pass in quick on $pf_strict inet proto udp from any port 67:68 to any port { 67 68 } keep state
-## services
-# if port is our service, and its coming from goonlan - allow
-pass in quick on $pf_strict inet proto tcp from <goonlan> to any port $tcp_services keep state
-pass in quick on $pf_strict inet proto udp from <goonlan> to any port $udp_services keep state
-
-# if previous rule didn't matched, that implies packet coming
-# not from goonlan, therefore block
-block in log on $pf_strict inet proto tcp from any to any port $tcp_services
-block in log on $pf_strict inet proto udp from any to any port $udp_services
 
+# Mark incoming traffic as blocked
+block in log on $pf_strict all
+# Allow services from certain subnets
+pass in on $pf_strict inet proto tcp from <goonlan> to any port $tcp_services
+pass in on $pf_strict inet proto udp from <goonlan> to any port $udp_services
+# Allow outgoing traffic
+pass out on $pf_strict all
diff --git a/smb4.conf b/smb4.conf
index 2c5692e..28f575b 100644
--- a/smb4.conf
+++ b/smb4.conf
@@ -5,6 +5,8 @@
   bind interfaces only = yes
   interfaces = lo vnat0
   map to guest = bad user
+  min protocol = SMB2
+  ea support = yes
 
 [vm-shared]
   path = /home/mykola/vm-shared