The PF¶

For the standalone installations on OpenBSD, there is also a set of PF configuration files being supplied. The following document describes what are the existing rules and how they are meant to be used.

You are free to change or adapt the rulesets as you please, however the existing configuration provides a good foundation to build upon.

All the hosts have the same base pf.conf with same tables and rules and include portions of PF that reflect to them from the file /etc/services.pf.conf.

General policy¶

Skip filtering on lo interface group. This means lo0 and any other lo* interface that has the lo group.
Scrub all packets clearing DF and setting the max-mss to 1440
Packets leaving our egress interface get nated to the first IP assigned to it
Packets on tun interface that their source IP can be found on offense_activated network is tagged as OFFENSE_REGISTERED
Block quick and return an answer for packet to 239.255.255.250, 224/8.
Block and log droped packets and return a reply
Block quick and drop packets from banned
Pass quick from administrators
Pass quick on traffic originating from the system (self)
Include the pf.conf specific for the current system services

Table `administrators`¶

table <administrators> persist counters file "/etc/administrators.conf"

These are IPs who have unrestricted access to all services running on the system, including SSH.

Table `maintenance`¶

table <maintenance> persist counters file "/etc/maintenance.conf"

This table is used to activate maintenance mode on a system. This table is usually and the most common IP to be added is 0.0.0.0/0.

You can activate maintenance by adding the IP on the table from the command line

pfctl -t maintenance -T add 0.0.0.0/0

Or if you plan on rebooting the server and you’d like to ensure the system gets back online in maintenance mode

echo "0.0.0.0/0" > /etc/maintenance.conf
pfctl -t maintenance -f /etc/maintenance.conf -T load

Table `moderators`¶

table <moderators> persist counters file "/etc/moderators.conf"

The moderators table holds IPs for users who will have access to egress services provided by the applications. This means ports 80/tcp & 443/tcp for frontend & backend and port 1194/udp for vpn servers.

Tables `registry_clients` and `registry_servers`¶

table <registry_clients> persist counters "/etc/registry_clients.conf"
table <registry_servers> persist counters "/etc/registry_servers.conf"

As their names suggest, registry_clients lists IP’s that are allowed to connect to docker registry_servers.

Table `targets`¶

table <targets> persist counters file "/etc/targets.conf"

Table that holds the IPs of the (active) targets that users have unrestricted access to. This table is maintained by the backend console command backend/yii cron/pf.

Tables `offense_network` and `offense_activated`¶

table <offense_activated> persist counters { 10.10.0.0/16 }
table <offense_network> persist counters { 10.10.0.0/16 }

The offense_network lists networks allocated to the players through VPN or DHCP installations. The offense_activated lists IPs or networks that are for players who have activated.

These two have tables will have the same IP’s on most installations. This feature is used for installations where the users authenticate and activate their registration with ways other than the frontend website.

Table `banned`¶

table <banned> persist counters

Dynamic table used to temporarily block specific IPs or network ranges.

The PF¶

General policy¶

Table administrators¶

Table maintenance¶

Table moderators¶

Tables registry_clients and registry_servers¶

Table targets¶

Tables offense_network and offense_activated¶

Table banned¶