1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
|
# $OpenBSD: pf.conf,v 1.55 2017/12/03 20:40:04 sthen Exp $
#
# See pf.conf(5) and /etc/examples/pf.conf
set skip on lo
set skip on lo1
block return # block stateless traffic
pass # establish keep-state
# By default, do not permit remote connections to X11
#block return in on ! lo0 proto tcp to port 6000:6010
# Port build user does not need network
block return out log proto {tcp udp} user _pbuild
# VM networking.
bridge = "vether0"
match out on egress from $bridge:network to any nat-to (egress)
# play difficult
block on egress all
# enable torrent
pass out quick on egress proto tcp to any user _transmission
pass in quick on egress proto tcp from any user _transmission
pass quick on egress proto udp from any user _transmission
pass quick on egress proto tcp from any user _transmission
# enable openvpn
pass quick on egress proto udp user _openvpn
tcp_services = "{ssh, smtp, domain, www, pop3, auth, http, https, pop3s, irc, openvpn, git, imaps, imap, smtps, vnc}"
# These services are not marked in /etc/services
dict = "2628"
# http without binding to port 80
althttp = "8080"
pass proto tcp to port $tcp_services
# Port 587 used by disroot.
pass proto tcp to port 587
pass proto tcp to port $dict
pass proto tcp to port $althttp
pass proto tcp to port nfs
pass proto udp to port nfs
# DMS for Roku.
dms="1900"
dms_http="1338"
pass proto tcp to port $dms
pass proto udp to port $dms
pass proto tcp to port $dms_http
pass proto udp to port $dms_http
dms_roku="35888"
pass proto udp to port $dms_roku
# Traceroute
trace="33434"
pass proto udp to port $trace
# Enable LPR printing.
lpr="515"
pass proto tcp to port $lpr
# Enable SANE.
pass proto tcp to port sane-port
pass proto udp to port sane-port
# Enable BJNP.
bjnp_print="8612"
bjnp_scan="8613"
pass proto tcp to port $bjnp_print
pass proto udp to port $bjnp_print
pass proto tcp to port $bjnp_scan
pass proto udp to port $bjnp_scan
# Enable IRC.
irc="6667"
pass proto tcp to port $irc
udp_services = "{domain, openvpn}"
pass out proto udp to port $udp_services
# Broken DAC. Allow incoming traffic on port 12345 for it.
dac="12345"
pass proto tcp to port $dac
# Remote sndio connection. See https://www.openbsd.org/faq/faq13.html
# Prioritize. See pf.conf(5)
sndio=11025
pass proto tcp to port $sndio set prio 4
# https://man.openbsd.org/pf.conf#QUEUEING
# Xonotic
xonotic = "26000"
pass out proto tcp to port $xonotic
pass out proto udp to port $xonotic
pass in proto tcp to port $xonotic
pass in proto udp to port $xonotic
# drawterm
pass proto tcp to port {17010,17013,17019,17020,567}
# see drawterm/kern/devip.c
# see https://plan9.io/wiki/plan9/drawterm/index.html
# I like ICMP ping.
pass proto icmp from any to any
|
