Pf config
From CPanelDirect
# must touch /etc/pf.blocklist.txt /etc/whitelist.txt
# for cpanel don't forget to uncomment the cpanel services and syn proxy lines
# nic card
ext_if="em0" # replace with actual external interface name i.e., dc0
# don't add ftp here, but for ftp include port 20 here and uncomment ftp at bottom
# in cpanel must add PassivePortRange 49151 65535 to pure-ftpd.conf
# tcp_services="{ 20, 22, 80, 443 }"
tcp_services="{ 80 }"
udp_services="{ 53 }"
#cpanel_services="{ 25, 53, 110, 143, 465, 993, 995, 2078, 2082, 2083, 2095, 2096, 2084, 2086, 2087 }"
icmp_types="8"
# Game servers (Quake3, CS )
# game_ports="27015"
# Tables: similar to macros, but more flexible for many addresses.
table <rfc1918> const { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }
table <badguys> persist file "/etc/pf.blocklist.txt"
table <whitelist> persist file "/etc/whitelist.txt"
# Options: tune the behavior of pf, default values are given.
set timeout { interval 10, frag 30 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
set timeout { adaptive.start 0, adaptive.end 0 }
set limit { states 10000, frags 5000 }
set loginterface $ext_if
set optimization normal
set block-policy drop
set require-order yes
set fingerprints "/etc/pf.os"
set state-policy if-bound
# Normalization: reassemble fragments and resolve or reduce traffic ambiguities.
#scrub in all
scrub in on $ext_if all fragment reassemble min-ttl 15 max-mss 1400
scrub in on $ext_if all no-df
scrub on $ext_if all reassemble tcp
# Filtering: the implicit first two rules are
pass in all
pass out all
# Pass all 'quick' on localhost loopback device
pass quick on lo0 all
## Default DENY & Log filter rules
block in log all
# uncomment for 2 way blocking
#block out log all
# block ping
# block in quick inet proto icmp from any to any
# SSH
# allow ssh from 66.45.228.251, this works
# is keep-state needed?
pass in on $ext_if proto tcp from 66.45.228.251 to any port 22
# END SSH
# Drop our 'badguys' 'quick' with no reply or logging.
block in quick on $ext_if from <badguys> to any
# Drop our rfc1918 ranges
block in quick on $ext_if from <rfc1918> to any
# probably don't want this
# block in on $ext_if from any os unknown
# Pass in rules for Various services defined above. Using 'synproxy-state' for
# basic dDoS mitigation on TCP services.
table <abusive_hosts> persist
block in quick from <abusive_hosts>
pass in on $ext_if proto tcp from any to any port $tcp_services flags S/SA synproxy state \
(max-src-conn 50, max-src-conn-rate 15/5, overload <abusive_hosts> flush)
# Enable for cpanel
#pass in on $ext_if proto tcp from any to $ext_if port $cpanel_services flags S/SA synproxy state
# Pass UDP keeping state
pass in on $ext_if proto udp from any to $ext_if port $udp_services keep state
# Pass ICMP Type 8 (echo-reply) only with state
pass in on $ext_if inet proto icmp all icmp-type $icmp_types keep state
# Pass FTP
#pass in quick on $ext_if proto tcp from any to any port 21 flags S/SA keep state
#pass in quick on $ext_if proto tcp from any to any port > 49151 keep state
# Pass out rule allowing all with modulate state
pass out on $ext_if proto tcp all modulate state flags S/SA
# Pass out rules for UDP, ICMP
pass out on $ext_if proto { udp, icmp } all keep state
# Whitelist
pass in on $ext_if from <whitelist> to any flags S/SA keep state
pass out on $ext_if from <whitelist> to any keep state
# Shoutcast 8000:9000
#pass in on $ext_if proto tcp from any to $ext_if port 8000 >< 9000 flags S/SA synproxy state
#pass in on $ext_if proto udp from any to $ext_if port 8000 >< 9000 keep state
# End
