diff options
| author | kaa <kaa@disroot.org> | 2025-06-09 04:05:40 -0700 |
|---|---|---|
| committer | kaa <kaa@disroot.org> | 2025-06-09 04:05:40 -0700 |
| commit | 135d511aa98ea481736660a888383787bef881b9 (patch) | |
| tree | 9b34915d48862d15fba1f41908c3326017fd1491 /pf.conf | |
Diffstat (limited to 'pf.conf')
| -rwxr-xr-x | pf.conf | 107 |
1 files changed, 107 insertions, 0 deletions
@@ -0,0 +1,107 @@ +# $OpenBSD: pf.conf,v 1.55 2017/12/03 20:40:04 sthen Exp $ +# +# See pf.conf(5) and /etc/examples/pf.conf + +set skip on lo +set skip on lo1 + +block return # block stateless traffic +pass # establish keep-state + +# By default, do not permit remote connections to X11 +#block return in on ! lo0 proto tcp to port 6000:6010 + +# Port build user does not need network +block return out log proto {tcp udp} user _pbuild + +# VM networking. +bridge = "vether0" +match out on egress from $bridge:network to any nat-to (egress) + +# play difficult +block on egress all + +# enable torrent +pass out quick on egress proto tcp to any user _transmission +pass in quick on egress proto tcp from any user _transmission +pass quick on egress proto udp from any user _transmission +pass quick on egress proto tcp from any user _transmission + +# enable openvpn +pass quick on egress proto udp user _openvpn + +tcp_services = "{ssh, smtp, domain, www, pop3, auth, http, https, pop3s, irc, openvpn, git, imaps, imap, smtps, vnc}" +# These services are not marked in /etc/services +dict = "2628" +# http without binding to port 80 +althttp = "8080" + +pass proto tcp to port $tcp_services +# Port 587 used by disroot. +pass proto tcp to port 587 +pass proto tcp to port $dict +pass proto tcp to port $althttp + +pass proto tcp to port nfs +pass proto udp to port nfs + +# DMS for Roku. +dms="1900" +dms_http="1338" +pass proto tcp to port $dms +pass proto udp to port $dms +pass proto tcp to port $dms_http +pass proto udp to port $dms_http +dms_roku="35888" +pass proto udp to port $dms_roku + +# Traceroute +trace="33434" +pass proto udp to port $trace + +# Enable LPR printing. +lpr="515" +pass proto tcp to port $lpr + +# Enable SANE. +pass proto tcp to port sane-port +pass proto udp to port sane-port + +# Enable BJNP. +bjnp_print="8612" +bjnp_scan="8613" +pass proto tcp to port $bjnp_print +pass proto udp to port $bjnp_print +pass proto tcp to port $bjnp_scan +pass proto udp to port $bjnp_scan + +# Enable IRC. +irc="6667" +pass proto tcp to port $irc + +udp_services = "{domain, openvpn}" +pass out proto udp to port $udp_services + +# Broken DAC. Allow incoming traffic on port 12345 for it. +dac="12345" +pass proto tcp to port $dac + +# Remote sndio connection. See https://www.openbsd.org/faq/faq13.html +# Prioritize. See pf.conf(5) +sndio=11025 +pass proto tcp to port $sndio set prio 4 +# https://man.openbsd.org/pf.conf#QUEUEING + +# Xonotic +xonotic = "26000" +pass out proto tcp to port $xonotic +pass out proto udp to port $xonotic +pass in proto tcp to port $xonotic +pass in proto udp to port $xonotic + +# drawterm +pass proto tcp to port {17010,17013,17019,17020,567} +# see drawterm/kern/devip.c +# see https://plan9.io/wiki/plan9/drawterm/index.html +# I like ICMP ping. +pass proto icmp from any to any |