49 lines
1.5 KiB
Text
49 lines
1.5 KiB
Text
# options
|
|
set optimization normal
|
|
set block-policy return
|
|
set fingerprints "/etc/pf.os"
|
|
# definitions
|
|
pf_strict = "{ re0 wlan0 ue0 }"
|
|
ext_ifs = "{ re0 wlan0 ue0 }"
|
|
|
|
vm_if = "vnat0"
|
|
vm_net = "10.0.0.0/24"
|
|
|
|
table <goonlan> const { 192.168.100.0/24, 192.168.184.0/24, 192.168.55.0/24 }
|
|
icmp_types = "{ 0, 3, 4, 8, 11, 12 }"
|
|
# base rules
|
|
set skip on lo0
|
|
|
|
# translation
|
|
## VM networking
|
|
nat on re0 from $vm_if:network to any -> (re0)
|
|
nat on wlan0 from $vm_if:network to any -> (wlan0)
|
|
nat on ue0 from $vm_if:network to any -> (ue0)
|
|
|
|
# filter
|
|
## allow ICMP pings
|
|
pass in on $pf_strict inet proto icmp all icmp-type $icmp_types
|
|
# services (ssh, nfs, smb)
|
|
tcp_services = "{ ssh nfsd rpcbind 711 957 22000 21027 }"
|
|
udp_services = "{ nfsd rpcbind 711 957 22000 }"
|
|
# rules
|
|
## allow all incoming traffic, since they could be a response to outgoing connection
|
|
## but block our service ports, and then allow it only for goonlab
|
|
## DHCP
|
|
pass in quick on $pf_strict inet proto tcp from any port 67:68 to any port { 67 68 } keep state flags S/SA
|
|
pass in quick on $pf_strict inet proto udp from any port 67:68 to any port { 67 68 } keep state
|
|
|
|
# Mark incoming traffic as blocked
|
|
block in log on $pf_strict all
|
|
# Allow services from certain subnets
|
|
pass in on $pf_strict inet proto tcp from <goonlan> to any port $tcp_services
|
|
pass in on $pf_strict inet proto udp from <goonlan> to any port $udp_services
|
|
# Allow outgoing traffic
|
|
pass out on $pf_strict all
|
|
|
|
# TAILSCALE
|
|
block in log on tailscale0 all
|
|
|
|
pass in on tailscale0 inet proto tcp from any to any port 1337
|
|
|
|
pass out on tailscale0 all
|