From 9f331e40b25ab94dec6475c70f92ab4acb00a6be Mon Sep 17 00:00:00 2001
From: Samuel Aubertin <samuel.aubertin@gmail.com>
Date: Tue, 2 Jun 2026 11:19:52 +0200
Subject: [PATCH] 2026 cleanup

---
 Makefile | 75 ++++++++++++++++++++++++++++++--------------------------
 1 file changed, 40 insertions(+), 35 deletions(-)

diff --git a/Makefile b/Makefile
index e4d39b2..4250b40 100644
--- a/Makefile
+++ b/Makefile
@@ -27,14 +27,15 @@ WG_LAN=		10.10.10.1/24
 WAN!=		route -n show -inet | grep default | awk '{print $$NF}'
 
 # Packet Filter configuration for allowed ports
-OUT_TCP=	http ftp whois https ssh
-IN_TCP=		http https ssh
-OUT_UDP=	domain ntp $(WG_PORT)
-IN_UDP=		$(WG_PORT)
-VPN_TCP=	$(IN_TCP)
+OUT_TCP?=	http ftp whois https ssh
+IN_TCP?=	http https ssh
+OUT_UDP?=	domain ntp $(WG_PORT)
+IN_UDP?=	$(WG_PORT)
+VPN_TCP?=	$(IN_TCP)
+VPN_UDP?=	domain ntp https
 
 # Server private key
-WG_KEY!=	cat server.key 2> /dev/null || wg genkey 
+WG_KEY!=	cat server.key 2> /dev/null || wg genkey
 .poison empty $(WG_KEY)
 
 # Ads lists
@@ -88,34 +89,37 @@ restart:
 
 /etc/pf.header:
 	# The original pf header 
-	printf 'set skip on lo\nblock return\npass\
+	printf 'set skip on lo\nblock return\n#pass\
 		\nblock return in on ! lo0 proto tcp to port 6000:6010\
 		\nblock return out log proto {tcp udp} user _pbuild\n' > $@
 
 /etc/pf.wg: /etc/pf.bogons /etc/pf.abuse_ssh /etc/pf.abuse_tcp /etc/pf.header /etc/pf.conf.orig 
 	# Define allowed PF ports 
-	printf 'out_tcp_ports = "{ $(OUT_TCP) }"\
+	printf '# PF.WG\
+		\n### Allowed Ports\
+		\nout_tcp_ports = "{ $(OUT_TCP) }"\
 		\nout_udp_ports = "{ $(OUT_UDP) }"\
 		\nvpn_tcp_ports = "{ $(VPN_TCP) }"\
+		\nvpn_udp_ports = "{ $(VPN_UDP) }"\
 		\nin_tcp_ports = "{ $(IN_TCP) }"\
 		\nin_udp_ports = "{ $(IN_UDP) }"\n' > $@
 	# Rules
-	printf '# BEGIN PF.WG\
-		\n### Macros \
+	printf '### Macros \
 		\n# statefull tracking options - sto\
-		\n# SSH is considered under abuse when there are more than 6 connections per minute \
-		\nssh_sto = "(max-src-conn-rate 6/60, overload <t_abuse_ssh> flush global)"\
+		\n# SSH is considered under abuse when there are more than 10 simultaneous connections or 1 connections per 2 second \
+		\nssh_sto = "(max-src-conn 100, max-src-conn-rate 6/60, overload <t_abuse_ssh> flush global)"\
 		\n# TCP is considered under abuse when there are more than 300 simultaneous connections or 600 per minute\
 		\ntcp_sto = "(max-src-conn 300, max-src-conn-rate 600/60, overload <t_abuse_tcp> flush global)"\
 		\n# TCP flags \
 		\nflag_syn = "flags S/SA modulate state"\
 		\n# define e (egress) and i (ingress) macros\
 		\nedropin = "block drop in quick on egress from"\
-		\nedropout = "block drop out log quick on egress from"\
-		\nepassout = "pass out log on egress proto tcp to any port"\
-		\ninblocktcp = "block in log quick proto tcp from"\
+		\nedropout = "block drop out quick on egress from"\
+		\nepassout = "pass out on egress proto tcp to any port"\
+		\ninblocktcp = "block in quick proto tcp from"\
 		\ninpasstcp = "pass in on egress proto tcp to any port"\
-		\ninvpntcp = "pass in log on wg0 proto tcp to any port"\
+		\ninvpntcp = "pass in on wg0 proto tcp to any port"\
+		\ninvpnudp = "pass in on wg0 proto udp to any port"\
 		\n# Persitent tables\
 		\ntable <t_bogons> persist file "/etc/pf.bogons"\
 		\ntable <t_abuse_tcp> persist file "/etc/pf.abuse_tcp"\
@@ -125,41 +129,42 @@ restart:
 		\nset optimization conservative\
 		\nset reassemble yes\
 		\nset syncookies adaptive (start 25%%, end 12%%)\
-		\nset ruleset-optimization profile\
+		\nset ruleset-optimization basic\
 		\nset skip on lo\
 		\nantispoof for { lo, egress }\
 		\nmatch in all scrub (max-mss 1440 no-df random-id reassemble tcp)\
 		\n### Rules \
 		\n# Prevent dns leaks \
-		\nblock in log on egress inet proto { tcp udp } from any to ! egress port 53\
+		\n#block in log quick on egress inet proto { tcp udp } from any to ! egress port 53\
 		\n# Block bogons - DEACTIVATED \
 		\n# TODO : change pf.bogons to allow LAN\
-		\n#$edropin { <t_bogons> } to any\
-		\n#$edropout any to { <t_bogons> }\
+		\n#$$edropin { <t_bogons> } to any\
+		\n#$$edropout any to { <t_bogons> }\
 		\n# block abusers\
-		\n$inblocktcp <t_abuse_ssh> to any port ssh\
-		\n$inblocktcp <t_abuse_tcp> to any port $in_tcp_ports\
+		\n$$inblocktcp <t_abuse_ssh> to any port ssh\
+		\n$$inblocktcp <t_abuse_tcp> to any port $$in_tcp_ports\
 		\n# Default rule : block stateless traffic\
-		\nblock\
+		\n# block\
 		\n# Enable ICMP echo request, reply, unreach\
 		\npass quick inet proto icmp all icmp-type { echoreq, echorep, unreach }\
 		\n# Enable IPv4 traceroute\
 		\npass out on egress proto udp to port 33433:33626\
 		\n# Pass ingress \
-		\n$inpasstcp ssh $$flag_syn $$ssh_sto\
-		\n$inpasstcp http $$flag_syn $$tcp_sto\
-		\n$inpasstcp https $$flag_syn $$tcp_sto\
-		\n$invpntcp $$vpn_tcp_ports $$flag_syn $$tcp_sto\
+		\n$$inpasstcp ssh $$flag_syn $$ssh_sto\
+		\n$$inpasstcp http $$flag_syn $$tcp_sto\
+		\n$$inpasstcp https $$flag_syn $$tcp_sto\
+		\n$$invpntcp $$vpn_tcp_ports\
+		\n$$invpnudp $$vpn_udp_ports\
 		\npass in on egress proto udp to any port $$in_udp_ports\
 		\n# Pass egress\
-		\n$epassout $$out_tcp_ports $$flag_syn\
-		\npass out on egress proto udp to any port $$out_udp_ports allow-opts\
+		\n$$epassout $$out_tcp_ports $$flag_syn\
+		\npass out quick on egress proto udp to any port $$out_udp_ports allow-opts\
 		\n# Pass Wireguard-LAN\
-		\npass out log on wg0 proto tcp to any port $$vpn_tcp_ports\
-		\npass in on wg0 proto udp to any port $$out_udp_ports allow-opts\
-		\n# END PF.WG\n' >> $@
+		\npass out on wg0 proto tcp to any port $$vpn_tcp_ports\
+		\npass out on wg0 proto udp to any port $$vpn_udp_ports\
+		\npass in on wg0 proto udp to any port $$out_udp_ports allow-opts\n' >> $@
 	# NAT the WireGuard interface to WAN
-	printf 'pass out on $(WAN) inet from wg0:network to any nat-to ($(WAN))' >> $@
+	printf 'pass out on $(WAN) inet from wg0:network to any nat-to ($(WAN)) static-port\n' >> $@
 
 ad-blacklist:
 	rm -rf /var/unbound/ad-blacklist.conf
@@ -245,8 +250,8 @@ $(CLIENTS): server.conf
 	wg genpsk > $@/$@.psk
 	# Append to server.conf (deprecated) and the client configuration
 	PSK=$$(cat $@/$@.psk); PUB=$$(cat $@/$@.pub); N=$$(sha256 -qs $@ | cut -b 1-2);\
-		echo -e '[Peer] # '$@'\nAllowedIPs = $(WG_LAN:H:S/.1$/./)'$$(echo $$((0x$$N)))'/32\nPublicKey = '$$PUB'\nPresharedKey = '$$PSK'\n' >> server.conf;\
-		echo -e '[Interface] # Local tunnel address: $(WG_LAN:H:S/.1$/./)'$$(echo $$((0x$$N))) router: $(WG_LAN:H)'\nAddress = $(WG_LAN:H:S/.1$/./)'$$(echo $$((0x$$N)))/32'\nPrivateKey = '$$(cat $@/$@.key)'\nDNS = $(WG_LAN:H)\n[Peer] # Tunnel endpoint: $(SERVER)\nEndpoint = $(SERVER):$(WG_PORT)\nPublicKey = '$$(cat server.pub)'\nPresharedKey = '$$PSK'\nAllowedIPs = 0.0.0.0/0' > $@/$@.conf
+		echo -e '[Peer] # '$@'\nAllowedIPs = $(WG_LAN:H:S/.1$/./)'$$(echo $$((0x$$N)))'/24\nPublicKey = '$$PUB'\nPresharedKey = '$$PSK'\n' >> server.conf;\
+		echo -e '[Interface] # Local tunnel address: $(WG_LAN:H:S/.1$/./)'$$(echo $$((0x$$N))) router: $(WG_LAN:H)'\nAddress = $(WG_LAN:H:S/.1$/./)'$$(echo $$((0x$$N)))/24'\nPrivateKey = '$$(cat $@/$@.key)'\nDNS = $(WG_LAN:H)\n[Peer] # Tunnel endpoint: $(SERVER)\nEndpoint = $(SERVER):$(WG_PORT)\nPublicKey = '$$(cat server.pub)'\nPresharedKey = '$$PSK'\nAllowedIPs = 0.0.0.0/0' > $@/$@.conf
 	cat $@/$@.conf | qrencode -t ansiutf8 -o $@/$@.qr
 	chmod -R 600 $@