Update pf.conf and settings

freebsd/resources/config.sh

@@ -16,7 +16,7 @@ database_name=fusionpbx         # Database name (safe characters A-Z, a-z, 0-9)
 database_username=fusionpbx     # Database username (safe characters A-Z, a-z, 0-9)
 database_password=random        # random or a custom value (safe characters A-Z, a-z, 0-9)
 database_enabled=true           # true or false
-database_version=16             # Postgres 16, 15, 14, 13, 12
+database_version=15             # Postgres 16, 15, 14, 13, 12
 database_host=127.0.0.1         # hostname or IP address
 database_port=5432              # port number
 database_backup=false           # true or false

freebsd/resources/pf.sh

@@ -21,5 +21,8 @@ echo 'pflog_logfile="/var/log/pflog"' >> /etc/rc.conf
 cp pf/pf.conf /etc/pf.conf
 
 #add the pf table files
-touch /etc/pf-block.conf
 touch /etc/pf-pass.conf
+touch /etc/pf-block.conf
+touch /etc/pf-block-sip-auth-ip.conf
+touch /etc/pf-block-sip-auth-fail.conf
+

freebsd/resources/pf/pf.conf

@@ -1,24 +1,41 @@
+
+#define interfaces
 #ext_if="em0"
-set skip on lo0
+
+#normalize packets
 scrub in all
 
-antispoof for lo0
-table <fail2ban> persist
-table <pf-block> persist file "/etc/pf-block.conf"
-table <pf-pass> persist file "/etc/pf-pass.conf"
-pass in quick from <pf-pass> to any keep state
+#skip rule for loopback interface
+set skip on lo0
 
-pass out quick all
+#prevent spoofing for all interfaces
+antispoof quick for all
+
+#allow traffic on loopback
 pass quick on lo0 all
 
-block in all
-block in quick from <fail2ban>
-block in quick from <pf-block>
-#antispoof quick for $ext_if
+#add the pf tables
+table <pf-pass> persist file "/etc/pf-pass.conf"
+table <pf-block> persist file "/etc/pf-block.conf"
+table <sip-auth-ip> persist file "/etc/pf-block-sip-auth-ip.conf"
+table <sip-auth-fail> persist file "/etc/pf-block-sip-auth-fail.conf"
 
+#allow outbound traffic
+pass out quick all
+
+#pass allowed addresses
+pass in quick from <pf-pass> to any keep state
+
+#block traffic from blocked addresses
+block in quick from <pf-block>
+block in quick from <sip-auth-ip>
+block in quick from <sip-auth-fail>
+
+#allow ICMP
 pass in quick inet proto icmp all
 pass in quick inet6 proto icmp6 all
 
+#allow additional ports
 pass in quick inet proto tcp from any to any port 22 keep state
 pass in quick inet proto tcp from any to any port 80 keep state
 pass in quick inet proto tcp from any to any port 443 keep state
@@ -27,3 +44,5 @@ pass in quick inet proto tcp from any to any port 5060:5091 keep state
 pass in quick inet proto udp from any to any port 5060:5091 keep state
 pass in quick inet proto udp from any to any port 16384:32768 keep state
 
+#default block rule
+block in all