johnko · January 30, 2016 19:35 · Jan 30, 2016 · Jan 30, 2016 · Jan 30, 2016
diff --git a/commands.txt b/commands.txt
@@ -21,3 +21,12 @@ pfctl -P -t weblimit -T add 192.168.0.253
 # To add a subnet to the weblimit table
 # This blocks all 192.168.0.* IPs
 pfctl -P -t weblimit -T add 192.168.0.0/24
+
+# To see what's in the table
+pfctl -P -t weblimit -T show
+
+# To save the table to disk (so it persists on reboot)
+pfctl -P -t weblimit -T show >"/etc/pf/weblimit.table"
+
+# To clear the table
+pfctl -P -t weblimit -T expire 0
diff --git a/commands.txt b/commands.txt
@@ -15,6 +15,7 @@ service pf reload
 
 # To add an IP to the weblimit table
 # This blocks one IP
+# No need to reload pf if you add/remove from tables already defined in pf
 pfctl -P -t weblimit -T add 192.168.0.253
 
 # To add a subnet to the weblimit table

diff --git a/commands.txt b/commands.txt
@@ -0,0 +1,22 @@
+# Edit your /etc/pf/pf.conf
+# If you are connected via ssh, make sure you allow connection to your ssh port!
+vi /etc/pf/pf.conf
+
+# Enable pf on your system
+sysrc pf_enable="YES"
+sysrc pf_rules="/etc/pf/pf.conf"
+
+#  Start pf service/daemon
+# If you are connected via SSH, you may be disconnected
+service pf start
+
+# Reload pf config if you make more changes to pf.conf
+service pf reload
+
+# To add an IP to the weblimit table
+# This blocks one IP
+pfctl -P -t weblimit -T add 192.168.0.253
+
+# To add a subnet to the weblimit table
+# This blocks all 192.168.0.* IPs
+pfctl -P -t weblimit -T add 192.168.0.0/24
diff --git a/pf.conf b/pf.conf
@@ -0,0 +1,29 @@
+## variables
+egress = "lagg0"
+web_ports = "{ http, https, 8080 }"
+ssh_ports = "{ ssh, 22222 }"
+
+## tables of IP addresses
+table <sshban> persist file "/etc/pf/sshban.table"
+table <weblimit> persist file "/etc/pf/weblimit.table"
+
+## quick rules: if there's a match, stop looking for other rules and block/pass as directed
+# drop connections fomr ips in sshban table from connecting
+block quick on $egress proto { tcp, udp } from <sshban> to (self) port $ssh_ports
+# limit to 5 connections total, and 5 connections every 2 seconds
+pass in quick on $egress proto { tcp, udp } from <weblimit> to (self) port $web_ports modulate state ( max-src-conn 5, max-src-conn-rate 5/2 )
+
+## regular rules
+# allow me to connect to other servers' sshd
+pass out on $egress proto tcp from (self) to any port $ssh_ports modulate state
+# allow my sshd to respond to clients
+pass out on $egress proto tcp from (self) port $ssh_ports to any modulate state
+# allow clients to connect to my sshd at a max of 15 connections per ip, and 15 connections per 2 seconds, and add them to sshban table if they exceed this limit
+pass in on $egress proto tcp from any to (self) port $ssh_ports modulate state ( max-src-conn 15, max-src-conn-rate 15/2, overload <sshban> )
+
+# allow me to talk to other servers' web ports
+pass out on $egress proto tcp from (self) to any port $web_ports modulate state
+# allow my web ports to reply to clients
+pass out on $egress proto tcp from (self) port $web_ports to any modulate state
+# allow clients to connect to my web ports at a max of 1000 connections per ip, and 1000 connections per 1 seconds, and add them to weblimit table if they exceed this limit
+pass in on $egress proto tcp from any to (self) port $web_ports modulate state ( max-src-conn 1000, max-src-conn-rate 1000/1 , overload <weblimit> )