# Please review my pf.conf



## Remington (Jul 26, 2013)

I'm not sure if my pf.conf is optimized correctly since I have three static IP addresses given by the data center for my web server and I added three IP aliases in rc.conf.  My main concerns are the jails especially web and vps01 since both have different static IP addresses.  They do work but I'm not sure if the setup is done correctly or is there a better way of doing this.  Many thanks!


```
ext_if            = "em0"
ext_addr          = "217.10.10.156"  (ip addresses changed on purpose)
ext_addr0         = "217.10.10.157"
ext_addr1         = "217.10.10.158"
vpn_if            = "tun0"
int_if            = "lo1"
int_net           = "10.0.0.0/24"
int_net0          = "10.0.1.0/24"
int_base          = "10.0.0.9"
int_mysql         = "10.0.0.10"
int_mail          = "10.0.0.12"
int_torrent       = "10.0.0.15"
int_web           = "10.0.0.20"
int_vps01         = "10.0.0.21"

# Options: tune pf behavior
set skip on lo

# Normalization: reassemble fragments etc
scrub in all

# nat/rdr
nat on $ext_if from $int_net  to any -> ($ext_if)
nat on $ext_if from $int_net0 to any -> ($ext_if)

# Tables
table <fail2ban> persist file "/etc/pf.blacklist.conf"

# SSH to Host
rdr on $ext_if proto tcp from any to $ext_if port 22    -> $ext_addr        port 22   # SSH

# OpenVPN
rdr on $ext_if proto tcp from any to $ext_addr  port 1420  -> 10.0.1.2

# Jail - Mail
rdr on $ext_if proto tcp from any to $ext_addr  port 25    -> $int_mail        port 25   # SMTP
rdr on $ext_if proto tcp from any to $ext_addr  port 465   -> $int_mail        port 465  # SMTP SSL
rdr on $ext_if proto tcp from any to $ext_addr  port 587   -> $int_mail        port 587  # SMTP SSL, Submission
rdr on $ext_if proto tcp from any to $ext_addr  port 993   -> $int_mail        port 993  # IMAP SSL
rdr on $ext_if proto tcp from any to $ext_addr  port 995   -> $int_mail        port 995  # POP3 SSL

# Jail - Web
rdr on $ext_if proto tcp from any to $ext_addr  port 80    -> $int_web         port 80   # HTTP
rdr on $ext_if proto tcp from any to $ext_addr  port 443   -> $int_web         port 443  # HTTPS

# Jail - VPS01
rdr on $ext_if proto tcp from any to $ext_addr0 port 80    -> $int_vps01       port 80   # HTTP
rdr on $ext_if proto tcp from any to $ext_addr0 port 443   -> $int_vps01       port 443  # HTTPS

# Filtering Rules
block in

# Fail2ban
block in log quick on $ext_if from <fail2ban> to any

# Pass and Antispoofing
pass out keep state
pass quick on lo
antispoof log quick for $ext_if

# Open ports for external address
pass in  on $ext_if proto tcp to $ext_addr    port { 22, 1420 } keep state  # { ssh, openvpn }
pass out on $ext_if proto tcp to $ext_addr    port { 22, 1420 } keep state  # { ssh, openvpn }
pass in  on $ext_if proto udp to $ext_addr    port { 1194 } keep state      # { openvpn }
pass out on $ext_if proto udp to $ext_addr    port { 1194 } keep state      # { openvpn }
pass quick on $vpn_if keep state

# Open ports for Jail Mail
pass in  on $ext_if proto tcp to $int_mail    port { 25, 110, 143, 465, 587, 993, 995, 2703 } keep state
pass out on $ext_if proto tcp to $int_mail    port { 25, 110, 143, 465, 587, 993, 995, 2703 } keep state

# Open ports for Jail Web
pass in  on $ext_if proto tcp to $int_web     port { 80, 443 } keep state
pass out on $ext_if proto tcp to $int_web     port { 80, 443 } keep state

# Open ports for Jail VPS01
pass in  on $ext_if proto tcp to $int_vps01   port { 80, 443 } keep state
pass out on $ext_if proto tcp to $int_vps01   port { 80, 443 } keep state

# ICMP for ping
pass in  on $ext_if proto icmp from any to any keep state queue icmp
pass out on $ext_if proto icmp from any to any keep state queue icmp
```


----------

