colorful rat Ratfactor.com > Dave's Repos

pf-bedtime

A pf configuration that enforces bedtime
git clone http://ratfactor.com/repos/pf-bedtime/pf-bedtime.git

pf-bedtime/pf.conf

Download raw file: pf.conf

1 # /etc/pf.conf - minimal router/firewall with NAT for a LAN 2 3 # To load changes, run: 4 # pfctl -f /etc/pf.conf 5 6 # Interfaces and networks 7 external_if = "em0" 8 local_if = "em1" 9 localnet = $local_if:network 10 11 # Table created by dhcpd (see /etc/rc.conf.local) 12 table <leased_ips> persist counters 13 14 # Table created by me (see /home/dave/bedtime) 15 table <bedtime_exempt> persist counters 16 17 # Default behaviors 18 set loginterface $external_if 19 set skip on lo 20 antispoof for $external_if 21 antispoof for $local_if 22 23 # Normalize traffic 24 #match in all scrub (no-df random-id max-mss 1440) 25 26 # NAT for LAN to the current $external_if address 27 # * Note that to enable NAT in the first place, the kernel has IP forwarding 28 # turned on in /etc/sysctl.conf: net.inet.ip.forwarding=1 29 # The parens around ($external_if) are to allow the DHCP-assigned (from the 30 # ISP) IP address to change and for the rule to still work. 31 match out on $external_if inet from $localnet nat-to ($external_if) 32 33 # Packet rules 34 # ------------------------------------------------------------------ 35 # Terminology (in the correct syntax order): 36 # in/out = packet direction to the interface 37 # on = interface 38 # from = packet's origination 39 # to = packet's destination 40 # port = port 41 42 # Default deny 43 block all 44 45 # UDP for domain and network time protocols 46 # Without this rule, DNS lookup slowed down to a crawl. Standard DNS queries 47 # use udp! 48 pass quick proto udp to port { domain ntp } 49 # DNS also uses tcp sometimes 50 pass quick proto tcp to port domain 51 52 # Allow ping (echo) icmp packets both directions 53 # and MTU messages (unreach) 54 pass quick inet proto icmp icmp-type { echoreq unreach } 55 # Allow traceroute udp packets 56 pass out on $external_if inet proto udp to port 33433:33626 57 58 # Allow all traffic from LAN and from gateway itself to pass 59 # 'self' is a pf reserved word for all addresses assigned to interfaces on the 60 # local host. 61 pass proto tcp from self 62 63 # Here's the main rule allowing traffic from the local LAN to 64 # the internet. We modify this by changing the bedtime anchor 65 # via external tools. E.g.: echo "..." | pfctl -a bedtime -f - 66 anchor bedtime { 67 # the default "awake" rule, bedtime not enforced 68 pass proto tcp from <leased_ips> 69 }