RootForum Community

Code: Select all

hostname="myhost.net"

font8x14="iso15-8x14"
font8x16="iso15-8x16"
font8x8="iso15-8x8"
keymap="german.iso.acc.kbd"

ifconfig_vtnet0="inet 192.168.0.10  netmask 255.255.255.0"
defaultrouter="192.168.0.1"

cloned_interface="lo0"

ifconfig_lo0="inet 10.0.0.254 netmask 255.255.255.0"
ifconfig_lo0_alias0="inet 10.0.0.1 netmask 255.255.255.0"
ifconfig_lo0_alias1="inet 10.0.0.2 netmask 255.255.255.0"
ifconfig_lo0_alias2="inet 10.0.0.3 netmask 255.255.255.0"
ifconfig_lo0_alias3="inet 10.0.0.4 netmask 255.255.255.0"

gateway_enable="YES"

ezjail_enable="YES"
sendmail_enable="NONE"
sshd_enable="YES"
openntpd_enable="YES"
dumpdev="NO"

syslogd_flags="-ss -a 127.0.0.1 -C"

pf_enable="YES"
pf_rules="/etc/pf.conf"
pflog_enable="YES"
pflog_logfile=/var/log/pflog

expiretable_enable="YES"
expiretable_flags="-v -d -t 24h bruteforce"

Code: Select all

if = "{ vtnet0 }"
if_lo = "{ lo0 }"

table <rfc1918> persist { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 224.0.0.0/5 }
table <sshguard> persist
table <bruteforce> persist

icmp_types = "echoreq"
open_tcp = "{ 2233, 80, 443, 2008, 10011, 30033, 41144 }"
open_udp = "{ 2233, 80, 2010, 9987 }"

jails = "{ 10.0.0.1, 10.0.0.2, 10.0.0.3 }"
ip = 192.168.0.10

jwww_tcp_udp = "{ 80, 443 }"
jts3_tcp = "{ 30033, 10011, 41144, 2008 }"
jts3_udp = "{ 9987, 2010 }"
jmariadb = "{ 3306 }"

www = 10.0.0.1
db  = 10.0.0.2
ts3 = 10.0.0.3

set block-policy drop
set skip on lo0
set timeout { interval 10, frag 30 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
set timeout { adaptive.start 0, adaptive.end 0 }
set limit { states 10000, frags 5000 }
set loginterface re0
set optimization normal
set require-order yes
set fingerprints "/etc/pf.os"
set ruleset-optimization basic

scrub in all fragment reassemble random-id

rdr on $if proto {tcp udp} from any to $if port $jwww_tcp_udp -> $www
rdr on $if proto tcp from any to $if port $jts3_tcp  -> $ts3
rdr on $if proto udp from any to $if port $jts3_udp  -> $ts3

nat on $if from $jails to any -> $ip

block log all
block return
block in quick on $if inet from <rfc1918> to any
block in quick on $if proto tcp from <sshguard> to any port 2233 label "ssh bruteforce"
block quick from <bruteforce>

antispoof quick for $if

pass in on $if proto tcp from any to any port $open_tcp flags S/SA keep state (max-src-conn 100, max-src-conn-rate 15/5, overload <bruteforce> flush global)
pass in on $if proto udp from any to any port $open_udp keep state
pass out quick all keep state
pass in on $if inet proto icmp all icmp-type $icmp_types keep state
pass in on $if inet proto udp from any to any port 33433 >< 33626 keep state

pass in quick on $if_lo proto tcp from $www port $jmariadb to $db
pass out quick on $if_lo proto tcp from $www port $jmariadb to $db
pass in quick on $if_lo proto tcp from $db port $jmariadb to $www
pass out quick on $if_lo proto tcp from $db port $jmariadb to $www

Code: Select all

[client]
port                            = 3306
socket                          = /tmp/mysql.sock

# The MariaDB server
[mysqld]
port                            = 3306
socket                          = /tmp/mysql.sock
key_buffer_size                 = 256M
max_allowed_packet              = 16M
table_open_cache                = 256
sort_buffer_size                = 4M
net_buffer_length               = 16M
read_buffer_size                = 1M
read_rnd_buffer_size            = 4M
myisam_sort_buffer_size         = 256M

thread_cache_size               = 128
query_cache_size                = 53M
max_connections                 = 100
connect_timeout                 = 5
wait_timeout                    = 600
bulk_insert_buffer_size         = 16M
tmp_table_size                  = 32M
max_heap_table_size             = 32M

skip-external-locking

#skip-networking
bind-address                    = 127.0.0.1
thread_concurrency              = 4
tmpdir                          = /tmp/
log-bin                         = mysql-bin
binlog_format                   = mixed
general_log_file                = /var/log/mysql/mysql.log
general_log                     = 1
server-id                       = 1
log_warnings                    = 2
slow_query_log_file             = /var/log/mysql/mariadb-slow.log
long_query_time                 = 10
log_slow_verbosity              = query_plan
local-infile                    = 0

[mysqldump]
quick
max_allowed_packet              = 16M

[mysql]
no-auto-rehash

[myisamchk]
key_buffer_size                 = 128M
sort_buffer_size                = 128M
read_buffer                     = 2M
write_buffer                    = 2M

[mysqlhotcopy]
interactive-timeout

Code: Select all

define('DB_HOST', 'localhost:/mein/mount/point/mysql.sock');

Code: Select all

pass quick on lo0 from 10.0.0.1 port 3306 to 10.0.0.2

Code: Select all

pass quick on lo0 inet proto tcp from 10.0.0.1 to 10.0.0.2 port 3306 flags S/SA keep state

Code: Select all

hostname="myhost.net"

font8x14="iso15-8x14"
font8x16="iso15-8x16"
font8x8="iso15-8x8"
keymap="german.iso.acc.kbd"

ifconfig_vtnet0="inet 192.168.0.10  netmask 255.255.255.0"
defaultrouter="192.168.0.1"

ifconfig_lo0="inet 10.0.0.254 netmask 255.255.255.0"
ifconfig_lo0_aliases="\
                    inet 10.0.0.1 netmask 255.255.255.0 \
                    inet 10.0.0.2 netmask 255.255.255.0 \
                    inet 10.0.0.3 netmask 255.255.255.0 \
                    inet 10.0.0.4 netmask 255.255.255.0 "

gateway_enable="YES"

ezjail_enable="YES"
sendmail_enable="NONE"
sshd_enable="YES"
openntpd_enable="YES"
dumpdev="NO"

syslogd_flags="-ss -a 127.0.0.1 -C"

pf_enable="YES"
pf_rules="/etc/pf.conf"
pflog_enable="YES"
pflog_logfile=/var/log/pflog

expiretable_enable="YES"
expiretable_flags="-v -d -t 24h bruteforce"