Sintaxis actualizada (FreeBSD 14 usa PF de OpenBSD 6.9–7.0 aproximadamente, hay cambios importantes).
# ====================== MACROS ======================
lan_if = "re0"
zt_if = "zt1ocu1pr8e2sac"
lan_net = "192.168.88.0/24"
zt_net = "192.168.192.0/24"
my_zt_ip = "192.168.192.204"
lan_ip = "192.168.88.160" # pon aquí la IP real de re0 si es fija
ssh_port = "{ 22 }"
nfs_ports_tcp = "{ 111, 892, 2049 }"
nfs_ports_udp = "{ 111, 892 }"
# ====================== OPCIONES GLOBALES ======================
set block-policy return # responde ICMP/TCP-RST a paquetes bloqueados
set ruleset-optimization none # en FreeBSD 14 no usa "basic" ni "high-latency"
set skip on lo0
set skip on $zt_if # ZeroTier ya tiene su propio cortafuegos interno
# Normalización moderna (recomendado)
match in all scrub (no-df random-id max-mss 1440)
# ====================== TABLAS ======================
table <bruteforce> persist # aquí meterá sshguard, pf-badhost, etc.
# ====================== TRÁFICO CONFIABLE (LAN) =======================
pass in quick on $lan_if from $lan_net to $lan_ip keep state
# =================== EXCEPCIÓN PARA EL TÚNEL WIREGUARD ================
# Wireguard: handshake y todo el trafico dentro del tunel
pass in quick on $lan_if proto udp from 192.168.88.51 to 192.168.88.160 \
port 51820 keep state
pass in quick on wg0 keep state # <-- esta es la importante
# ====================== REGLAS DE PROTECCIÓN BÁSICA ===================
# Anti-spoofing + bogons (bloqueo rápido)
block in quick on ! $lan_if from $lan_net to any
block in quick on ! $lan_if from 192.168.0.0/16 to any
block in quick on ! $lan_if from 172.16.0.0/12 to any
block in quick on ! $lan_if from 10.0.0.0/8 to any
block in quick from any to { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
10.0.0.0/8, ::/128, 0.0.0.0/8 }
# Bloqueo rápido de hosts en lista negra
block in quick from <bruteforce>
# ====================== LOOPBACK ======================
pass quick on lo0 all
# ====================== TRÁFICO SALIENTE (stateful) ======================
pass out quick inet keep state
# ====================== ICMP ======================
pass in on $lan_if inet proto icmp from $lan_net to $lan_ip icmp-type echoreq \
keep state
pass out on $lan_if inet proto icmp from $lan_ip to $lan_net icmp-type echorep \
keep state
# ====================== SSH CON PROTECCIÓN ======================
# Desde LAN (sin límite)
pass in on $lan_if proto tcp from $lan_net to $lan_ip port $ssh_port flags \
S/SFRA keep state
# Desde ZeroTier (con límite de tasa para evitar brute-force)
pass in on $zt_if proto tcp from $zt_net to $my_zt_ip port $ssh_port \
flags S/SFRA keep state \
(max-src-conn-rate 15/5, overload <bruteforce> flush global)
# ====================== DNS (Unbound local) ======================
pass quick on $lan_if proto { tcp udp } from $lan_net to $lan_ip port 53
# ====================== NTP cliente ======================
pass out proto udp from any to port 123 keep state
# ====================== NFS (solo LAN) ======================
pass in on $lan_if proto tcp from $lan_net to $lan_ip port $nfs_ports_tcp \
flags S/SFRA keep state
pass in on $lan_if proto udp from $lan_net to $lan_ip port $nfs_ports_udp \
keep state
# NFSv4 callback channel (solo desde clientes NFS de la LAN)
pass in on $lan_if proto tcp from $lan_net to $lan_ip port 3000:4000 \
flags S/SFRA keep state
# ====================== ZeroTier (puerto de control) ======================
pass in quick on $zt_if proto udp from any to any port 9993
# ====================== BLOQUEO FINAL (por defecto) ======================
block log all
FreeBSD es genial!.
No hay comentarios:
Publicar un comentario