2026 cleanup
This commit is contained in:
Samuel Aubertin
75
Makefile
75
Makefile
@@ -27,14 +27,15 @@ WG_LAN= 10.10.10.1/24
|
||||
WAN!= route -n show -inet | grep default | awk '{print $$NF}'
|
||||
|
||||
# Packet Filter configuration for allowed ports
|
||||
OUT_TCP= http ftp whois https ssh
|
||||
IN_TCP= http https ssh
|
||||
OUT_UDP= domain ntp $(WG_PORT)
|
||||
IN_UDP= $(WG_PORT)
|
||||
VPN_TCP= $(IN_TCP)
|
||||
OUT_TCP?= http ftp whois https ssh
|
||||
IN_TCP?= http https ssh
|
||||
OUT_UDP?= domain ntp $(WG_PORT)
|
||||
IN_UDP?= $(WG_PORT)
|
||||
VPN_TCP?= $(IN_TCP)
|
||||
VPN_UDP?= domain ntp https
|
||||
|
||||
# Server private key
|
||||
WG_KEY!= cat server.key 2> /dev/null || wg genkey
|
||||
WG_KEY!= cat server.key 2> /dev/null || wg genkey
|
||||
.poison empty $(WG_KEY)
|
||||
|
||||
# Ads lists
|
||||
@@ -88,34 +89,37 @@ restart:
|
||||
|
||||
/etc/pf.header:
|
||||
# The original pf header
|
||||
printf 'set skip on lo\nblock return\npass\
|
||||
printf 'set skip on lo\nblock return\n#pass\
|
||||
\nblock return in on ! lo0 proto tcp to port 6000:6010\
|
||||
\nblock return out log proto {tcp udp} user _pbuild\n' > $@
|
||||
|
||||
/etc/pf.wg: /etc/pf.bogons /etc/pf.abuse_ssh /etc/pf.abuse_tcp /etc/pf.header /etc/pf.conf.orig
|
||||
# Define allowed PF ports
|
||||
printf 'out_tcp_ports = "{ $(OUT_TCP) }"\
|
||||
printf '# PF.WG\
|
||||
\n### Allowed Ports\
|
||||
\nout_tcp_ports = "{ $(OUT_TCP) }"\
|
||||
\nout_udp_ports = "{ $(OUT_UDP) }"\
|
||||
\nvpn_tcp_ports = "{ $(VPN_TCP) }"\
|
||||
\nvpn_udp_ports = "{ $(VPN_UDP) }"\
|
||||
\nin_tcp_ports = "{ $(IN_TCP) }"\
|
||||
\nin_udp_ports = "{ $(IN_UDP) }"\n' > $@
|
||||
# Rules
|
||||
printf '# BEGIN PF.WG\
|
||||
\n### Macros \
|
||||
printf '### Macros \
|
||||
\n# statefull tracking options - sto\
|
||||
\n# SSH is considered under abuse when there are more than 6 connections per minute \
|
||||
\nssh_sto = "(max-src-conn-rate 6/60, overload <t_abuse_ssh> flush global)"\
|
||||
\n# SSH is considered under abuse when there are more than 10 simultaneous connections or 1 connections per 2 second \
|
||||
\nssh_sto = "(max-src-conn 100, max-src-conn-rate 6/60, overload <t_abuse_ssh> flush global)"\
|
||||
\n# TCP is considered under abuse when there are more than 300 simultaneous connections or 600 per minute\
|
||||
\ntcp_sto = "(max-src-conn 300, max-src-conn-rate 600/60, overload <t_abuse_tcp> flush global)"\
|
||||
\n# TCP flags \
|
||||
\nflag_syn = "flags S/SA modulate state"\
|
||||
\n# define e (egress) and i (ingress) macros\
|
||||
\nedropin = "block drop in quick on egress from"\
|
||||
\nedropout = "block drop out log quick on egress from"\
|
||||
\nepassout = "pass out log on egress proto tcp to any port"\
|
||||
\ninblocktcp = "block in log quick proto tcp from"\
|
||||
\nedropout = "block drop out quick on egress from"\
|
||||
\nepassout = "pass out on egress proto tcp to any port"\
|
||||
\ninblocktcp = "block in quick proto tcp from"\
|
||||
\ninpasstcp = "pass in on egress proto tcp to any port"\
|
||||
\ninvpntcp = "pass in log on wg0 proto tcp to any port"\
|
||||
\ninvpntcp = "pass in on wg0 proto tcp to any port"\
|
||||
\ninvpnudp = "pass in on wg0 proto udp to any port"\
|
||||
\n# Persitent tables\
|
||||
\ntable <t_bogons> persist file "/etc/pf.bogons"\
|
||||
\ntable <t_abuse_tcp> persist file "/etc/pf.abuse_tcp"\
|
||||
@@ -125,41 +129,42 @@ restart:
|
||||
\nset optimization conservative\
|
||||
\nset reassemble yes\
|
||||
\nset syncookies adaptive (start 25%%, end 12%%)\
|
||||
\nset ruleset-optimization profile\
|
||||
\nset ruleset-optimization basic\
|
||||
\nset skip on lo\
|
||||
\nantispoof for { lo, egress }\
|
||||
\nmatch in all scrub (max-mss 1440 no-df random-id reassemble tcp)\
|
||||
\n### Rules \
|
||||
\n# Prevent dns leaks \
|
||||
\nblock in log on egress inet proto { tcp udp } from any to ! egress port 53\
|
||||
\n#block in log quick on egress inet proto { tcp udp } from any to ! egress port 53\
|
||||
\n# Block bogons - DEACTIVATED \
|
||||
\n# TODO : change pf.bogons to allow LAN\
|
||||
\n#$edropin { <t_bogons> } to any\
|
||||
\n#$edropout any to { <t_bogons> }\
|
||||
\n#$$edropin { <t_bogons> } to any\
|
||||
\n#$$edropout any to { <t_bogons> }\
|
||||
\n# block abusers\
|
||||
\n$inblocktcp <t_abuse_ssh> to any port ssh\
|
||||
\n$inblocktcp <t_abuse_tcp> to any port $in_tcp_ports\
|
||||
\n$$inblocktcp <t_abuse_ssh> to any port ssh\
|
||||
\n$$inblocktcp <t_abuse_tcp> to any port $$in_tcp_ports\
|
||||
\n# Default rule : block stateless traffic\
|
||||
\nblock\
|
||||
\n# block\
|
||||
\n# Enable ICMP echo request, reply, unreach\
|
||||
\npass quick inet proto icmp all icmp-type { echoreq, echorep, unreach }\
|
||||
\n# Enable IPv4 traceroute\
|
||||
\npass out on egress proto udp to port 33433:33626\
|
||||
\n# Pass ingress \
|
||||
\n$inpasstcp ssh $$flag_syn $$ssh_sto\
|
||||
\n$inpasstcp http $$flag_syn $$tcp_sto\
|
||||
\n$inpasstcp https $$flag_syn $$tcp_sto\
|
||||
\n$invpntcp $$vpn_tcp_ports $$flag_syn $$tcp_sto\
|
||||
\n$$inpasstcp ssh $$flag_syn $$ssh_sto\
|
||||
\n$$inpasstcp http $$flag_syn $$tcp_sto\
|
||||
\n$$inpasstcp https $$flag_syn $$tcp_sto\
|
||||
\n$$invpntcp $$vpn_tcp_ports\
|
||||
\n$$invpnudp $$vpn_udp_ports\
|
||||
\npass in on egress proto udp to any port $$in_udp_ports\
|
||||
\n# Pass egress\
|
||||
\n$epassout $$out_tcp_ports $$flag_syn\
|
||||
\npass out on egress proto udp to any port $$out_udp_ports allow-opts\
|
||||
\n$$epassout $$out_tcp_ports $$flag_syn\
|
||||
\npass out quick on egress proto udp to any port $$out_udp_ports allow-opts\
|
||||
\n# Pass Wireguard-LAN\
|
||||
\npass out log on wg0 proto tcp to any port $$vpn_tcp_ports\
|
||||
\npass in on wg0 proto udp to any port $$out_udp_ports allow-opts\
|
||||
\n# END PF.WG\n' >> $@
|
||||
\npass out on wg0 proto tcp to any port $$vpn_tcp_ports\
|
||||
\npass out on wg0 proto udp to any port $$vpn_udp_ports\
|
||||
\npass in on wg0 proto udp to any port $$out_udp_ports allow-opts\n' >> $@
|
||||
# NAT the WireGuard interface to WAN
|
||||
printf 'pass out on $(WAN) inet from wg0:network to any nat-to ($(WAN))' >> $@
|
||||
printf 'pass out on $(WAN) inet from wg0:network to any nat-to ($(WAN)) static-port\n' >> $@
|
||||
|
||||
ad-blacklist:
|
||||
rm -rf /var/unbound/ad-blacklist.conf
|
||||
@@ -245,8 +250,8 @@ $(CLIENTS): server.conf
|
||||
wg genpsk > $@/$@.psk
|
||||
# Append to server.conf (deprecated) and the client configuration
|
||||
PSK=$$(cat $@/$@.psk); PUB=$$(cat $@/$@.pub); N=$$(sha256 -qs $@ | cut -b 1-2);\
|
||||
echo -e '[Peer] # '$@'\nAllowedIPs = $(WG_LAN:H:S/.1$/./)'$$(echo $$((0x$$N)))'/32\nPublicKey = '$$PUB'\nPresharedKey = '$$PSK'\n' >> server.conf;\
|
||||
echo -e '[Interface] # Local tunnel address: $(WG_LAN:H:S/.1$/./)'$$(echo $$((0x$$N))) router: $(WG_LAN:H)'\nAddress = $(WG_LAN:H:S/.1$/./)'$$(echo $$((0x$$N)))/32'\nPrivateKey = '$$(cat $@/$@.key)'\nDNS = $(WG_LAN:H)\n[Peer] # Tunnel endpoint: $(SERVER)\nEndpoint = $(SERVER):$(WG_PORT)\nPublicKey = '$$(cat server.pub)'\nPresharedKey = '$$PSK'\nAllowedIPs = 0.0.0.0/0' > $@/$@.conf
|
||||
echo -e '[Peer] # '$@'\nAllowedIPs = $(WG_LAN:H:S/.1$/./)'$$(echo $$((0x$$N)))'/24\nPublicKey = '$$PUB'\nPresharedKey = '$$PSK'\n' >> server.conf;\
|
||||
echo -e '[Interface] # Local tunnel address: $(WG_LAN:H:S/.1$/./)'$$(echo $$((0x$$N))) router: $(WG_LAN:H)'\nAddress = $(WG_LAN:H:S/.1$/./)'$$(echo $$((0x$$N)))/24'\nPrivateKey = '$$(cat $@/$@.key)'\nDNS = $(WG_LAN:H)\n[Peer] # Tunnel endpoint: $(SERVER)\nEndpoint = $(SERVER):$(WG_PORT)\nPublicKey = '$$(cat server.pub)'\nPresharedKey = '$$PSK'\nAllowedIPs = 0.0.0.0/0' > $@/$@.conf
|
||||
cat $@/$@.conf | qrencode -t ansiutf8 -o $@/$@.qr
|
||||
chmod -R 600 $@
|
||||
|
||||
|
||||
Reference in New Issue
Block a user