blob: 8819ee0c1791d17a851b48a2915305fd5697e3e5 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
|
# our interface
ext_if = "em0"
# IPv6 link local prefix.
PFX_LNKLOC = "fe80::/10"
# IPv6 Solicited Node Multicast Prefix.
MC_SOLNOD = "ff02::1:ff00:0/104"
# IPv6 All Nodes Link Local Multicast Address.
MC_NODLNK = "ff02::1"
# skip loopback
set skip on lo0
set loginterface $ext_if
set block-policy drop
scrub in on $ext_if
## RULES ##
# block and log all traffic not matching below rules
block in
# allow ssh traffic to the host on the custom port
pass in quick proto tcp to port 2223
# allow http/https
pass in quick proto {tcp, udp} to port { http, https }
# allow ssh for gubbhub
pass in quick proto tcp to port 2224
# ping
pass in quick inet6 proto icmp6 icmp6-type echoreq
pass in quick inet proto icmp icmp-type echoreq
# ipv6 stuff
# Allow NS from unspecified to solicited node multicast address (DAD).
pass quick inet6 proto icmp6 from :: to $MC_SOLNOD icmp6-type neighbrsol no state
# Allow IPv6 Router Discovery.
pass in quick inet6 proto icmp6 from $PFX_LNKLOC to $MC_NODLNK icmp6-type routeradv no state
# Allow IPv6 Neighbor Discovery (ND/NUD/DAD).
pass in quick inet6 proto icmp6 to { ($ext_if), $MC_SOLNOD } icmp6-type { neighbrsol, neighbradv } no state
# Allow any outgoing traffic
pass out
# TODO: We seem to not only get neighbor advertisements from the local subnet? How does
# this work?
#pass in quick inet6 proto icmp6 from { $PFX_LNKLOC, ($ext_if:network) } to { ($ext_if), $MC_SOLNOD } icmp6-type neighbrsol no state
#pass in quick inet6 proto icmp6 from { $PFX_LNKLOC, ($ext_if:network) } to { ($ext_if), $MC_NODLNK } icmp6-type neighbradv no state
|
