Skip to content

Instantly share code, notes, and snippets.

@Tristor
Created February 21, 2017 22:03
Show Gist options
  • Save Tristor/04b6bb4a268fb50f5196392a2ce4c58e to your computer and use it in GitHub Desktop.
Save Tristor/04b6bb4a268fb50f5196392a2ce4c58e to your computer and use it in GitHub Desktop.
PF configuration for TURN server on DO
# vim: set ft=pf
# /etc/pf.conf
ext_if = "vtnet0"
# These macros define the ports we let in and out.
webports = "{http, https}"
needout = "{ssh, domain, ntp, www, https, git, ftp}"
turn = "{3478}"
turns = "{5349}"
# Don't block local, scrub.
set skip on lo
set loginterface $ext_if
scrub in all random-id fragment reassemble
# Default Deny!
block return in log all
block out all
antispoof quick for $ext_if
# Block bruteforce
table <bruteforce> persist
block quick from <bruteforce>
# SSH bruteforce protection and allow rule
pass in quick proto tcp to $ext_if port 22 keep state (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush global)
# Allow in web traffic
pass proto tcp from any to $ext_if port $webports
# Allow essential outgoing traffic
pass out quick on $ext_if proto tcp to any port $needout
pass out quick on $ext_if proto udp to any port $needout
# Allow TURN/STUN traffic
pass in quick proto udp from any to $ext_if port $turn
pass in quick proto tcp from any to $ext_if port $turn
pass in quick proto tcp from any to $ext_if port $turns
pass out quick on $ext_if proto udp to any port $turn
pass out quick on $ext_if proto tcp to any port $turn
pass out quick on $ext_if proto tcp to any port $turns
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment