2023-05-15 23:16:25 +02:00
|
|
|
|
2023-01-11 01:03:34 +01:00
|
|
|
#Filtres badhosts et sshguard
|
|
|
|
|
table <pfbadhost> persist file "/etc/pf-badhost.txt"
|
|
|
|
|
table <sshguard> persist
|
2023-05-15 23:16:25 +02:00
|
|
|
table <whitelist> persist
|
2023-01-11 01:03:34 +01:00
|
|
|
|
|
|
|
|
## Table pour les batards de bruteforceurs
|
|
|
|
|
table <bruteforce> persist
|
2023-05-15 23:16:25 +02:00
|
|
|
table <http_abusive_hosts> persist
|
2023-01-11 01:03:34 +01:00
|
|
|
|
|
|
|
|
set block-policy drop # bloque silencieusement
|
|
|
|
|
set skip on lo # En local on s'en fou on surveille rien
|
2023-05-15 23:16:25 +02:00
|
|
|
set limit table-entries 400000
|
2023-01-11 01:03:34 +01:00
|
|
|
set limit states 100000
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
## Traitement des paquets ##
|
|
|
|
|
# Paquets partiels on vire
|
|
|
|
|
match all scrub (max-mss 1440 no-df random-id reassemble tcp)
|
|
|
|
|
antispoof quick for egress # Protection vol d'ip
|
|
|
|
|
antispoof quick for lo0 # Protection vol d'ip
|
|
|
|
|
|
|
|
|
|
# Port build user does not need network
|
|
|
|
|
block return out log proto {tcp udp} user _pbuild
|
|
|
|
|
|
|
|
|
|
# On bloque tout par défault
|
|
|
|
|
block
|
|
|
|
|
|
|
|
|
|
block quick on egress from <pfbadhost>
|
|
|
|
|
block in from <sshguard>
|
|
|
|
|
block log quick from <bruteforce> label "brutes"
|
|
|
|
|
|
|
|
|
|
pass out on egress proto { tcp udp icmp ipv6-icmp } modulate state
|
