PF Configuration
### options –> normalization –> queueing –> translation –> filtering
### Macros ###
ext_if=”sk0″ # Menuju ke TELKOM
int_if=”sk1″ # INTRANET
### TABLES ###
table
table
table
### GLOBAL OPTIONS ###
set timeout { interval 10, frag 30 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
set timeout { adaptive.start 0, adaptive.end 0 }
set limit { states 10000, frags 5000 }
set loginterface $ext_if
set optimization aggressive
set block-policy drop
set require-order yes
set fingerprints “/etc/pf.os”
### TRAFFIC NORMALIZATION ###
#
scrub in all
# Port Yang Boleh Diakses dari Luar Box
ssh_ports = “{ 22 }”
im_ports = “{ 5050 5222 6667 }”
tcp_services = “{ 21 25 53 80 113 110 143 443 2082 5050 5222 6667 }”
udp_services = “{ 53 1194 }”
# Ping Requests
icmp_types = “echoreq”
### QUEUES – ALTQ rules ###
altq on $ext_if priq bandwidth 1024Kb queue { std_out, ssh_im_out, dns_out, tcp_ack_out }
queue std_out priq(default)
queue ssh_im_out priority 4 priq(red)
queue dns_out priority 5
queue tcp_ack_out priority 6
altq on $int_if cbq bandwidth 1280Kb queue { std_in, ssh_im_in, dns_in, staff_in, wfidl_in }
queue std_in bandwidth 1024Kb cbq(default)
queue ssh_im_in bandwidth 32Kb priority 4
queue dns_in bandwidth 32Kb priority 5
queue staff_in bandwidth 128Kb cbq(borrow)
queue wfidl_in bandwidth 64Kb cbq(borrow)
### TRANSLATION ###
nat on $ext_if from $int_if:network to any -> ($ext_if)
#nat-anchor “ftp-proxy/*”
#================#
## Redirections ##
#================#
rdr on $int_if proto tcp from
rdr-anchor “ftp-proxy/*”
#rdr on $int_if proto tcp from
#==================#
# Anchor Blockit #
#==================#
anchor blockit
#==================#
# Anchor FTP #
#==================#
anchor “ftp-proxy/*”
### PACKET FILTERING ###
set skip on lo0
# filter rules for $ext_if inbound #
# ============================= #
block in on $ext_if all
# filter rules for $ext_if outbound #
# ============================= #
block out on $ext_if all
pass out on $ext_if inet proto tcp from ($ext_if) to any port $tcp_services flags S/SA keep state queue(std_out, tcp_ack_out)
#pass out on $ext_if inet proto tcp from ($ext_if) to any flags S/SA keep state queue(std_out, tcp_ack_out)
#pass out on $ext_if inet proto { udp icmp } from ($ext_if) to any keep state
pass out on $ext_if inet proto icmp from ($ext_if) icmp-type $icmp_types keep state
pass out on $ext_if inet proto udp from ($ext_if) to any port $udp_services keep state
pass out on $ext_if inet proto { tcp udp } from ($ext_if) to any port domain keep state queue dns_out
pass out on $ext_if inet proto tcp from ($ext_if) to any port $ssh_ports flags S/SA keep state queue(std_out, ssh_im_out)
pass out on $ext_if inet proto tcp from ($ext_if) to any port $im_ports flags S/SA keep state queue(ssh_im_out, tcp_ack_out)
# filter rules for $int_if inbound #
# ============================ #
block in on $int_if all
pass in on $int_if from
# filter rules for $int_if outbound #
# ============================ #
block out on $int_if all
pass out on $int_if from any to
pass out on $int_if proto { tcp udp } from any port domain to
pass out on $int_if proto tcp from any port $ssh_ports to
pass out on $int_if proto tcp from any port $im_ports to
pass out on $int_if from any to
pass out on $int_if from any to
## Deny spoofing
antispoof for $ext_if
antispoof for $int_if
# Localhost
pass quick on lo0 all
kemudian
net.inet.ip.forwarding=1
lalu
named_flags=”"
ntpd=NO
ftpproxy_flags=”"
sendmail_flags=NO
pf=YES
inetd=NO
check_quotas=NO
mysql=YESS
snort=YES
<< Beranda