PF Need feedback/improvement suggestions on PF ruleset

[pentago]

Hi, I just wanted to ask for feedback or improvement suggestions on my PF ruleset made for host and 10-ish jails serving apps and web.

I'm particularly interested in suggestions on rule ordering, if it can be improved and optimized as well as suggestions on section for connection rate-limiting at the bottom.

Thanks in advance!

# Macros
nic = "re0"

ip1 = "xx.xx.xx.xx"
ip2 = "xx.xx.xx.xx"
ip3 = "xx.xx.xx.xx"
ip4 = "xx.xx.xx.xx"
ip5 = "xx.xx.xx.xx"

db = "192.168.1.2"
dibz = "192.168.1.3"
www = "192.168.1.4"
reports = "192.168.1.5"
base = "192.168.1.6"
base2 = "192.168.1.7"
data = "192.168.1.8"
dns = "192.168.1.9"

services = "{25,80,443,10000,20000,30000,40000,50000,60000,65000}"
web = "{80,443}"
ssh = "{10000,20000,30000,40000,50000,60000,65000}"
icmp_types = "{echoreq,unreach}"

# Options
set skip on lo
set block-policy drop
set loginterface $nic
table <blocked> persist file "/etc/blocked"

# Normalization
scrub in no-df random-id

# NAT
nat pass on $nic from $dns -> $ip1
nat pass on $nic from $db -> $ip1

nat pass on $nic from $dibz -> $ip2
rdr on $nic inet proto tcp to $ip2 port {25,80,443,30000} -> $dibz

nat pass on $nic from $data -> $ip2
rdr on $nic inet proto tcp to $ip2 port {10000} -> $data

nat pass on $nic from $www -> $ip3
rdr on $nic inet proto tcp to $ip3 port {25,80,443,50000} -> $www

nat pass on $nic from $base -> $ip4
rdr on $nic inet proto tcp to $ip4 port {25,80,443,60000} -> $base

nat pass on $nic from $base2 -> $ip4
rdr on $nic inet proto tcp to $ip4 port {80,443,20000} -> $base2

nat pass on $nic from $reports -> $ip5
rdr on $nic inet proto tcp to $ip5 port {80,443,65000} -> $reports


# Filtering
block in log
block in quick proto tcp from <blocked> to any port $web
block in quick inet6 all

antispoof quick for $nic inet

pass in proto tcp to port $services
pass in quick proto tcp from any to $www port $web keep state (max-src-conn 40, max-src-conn-rate 50/5, overload <blocked> flush global)
pass in quick proto tcp from any to any port $ssh flags S/SA keep state (max-src-conn 4, max-src-conn-rate 5/15, overload <blocked> flush global)
pass inet proto icmp all icmp-type $icmp_types
block return out quick inet6 all
pass out

 

[johnblue]

I am a huge fan of using max-src to rate limit SSH. However, based upon my personal experience I ditch max-src-conn and use 2/120 for max-src-conn-rate. FWIW.

It may have changed (I didn't double-check) but technically speaking it goes #macros, #tables, #options, #normalization, #queuing, #translation and then #filtering.