From 886d3c17e96c29e29ebfdc160c279acf7af982f1 Mon Sep 17 00:00:00 2001
From: FusionPBX <markjcrane@gmail.com>
Date: Sun, 25 Aug 2024 20:01:59 -0600
Subject: [PATCH] Update pf.conf and settings

---
 freebsd/resources/config.sh  |  2 +-
 freebsd/resources/pf.sh      |  5 ++++-
 freebsd/resources/pf/pf.conf | 41 ++++++++++++++++++++++++++----------
 3 files changed, 35 insertions(+), 13 deletions(-)

diff --git a/freebsd/resources/config.sh b/freebsd/resources/config.sh
index 3e615c4..f4d92dd 100755
--- a/freebsd/resources/config.sh
+++ b/freebsd/resources/config.sh
@@ -16,7 +16,7 @@ database_name=fusionpbx         # Database name (safe characters A-Z, a-z, 0-9)
 database_username=fusionpbx     # Database username (safe characters A-Z, a-z, 0-9)
 database_password=random        # random or a custom value (safe characters A-Z, a-z, 0-9)
 database_enabled=true           # true or false
-database_version=16             # Postgres 16, 15, 14, 13, 12
+database_version=15             # Postgres 16, 15, 14, 13, 12
 database_host=127.0.0.1         # hostname or IP address
 database_port=5432              # port number
 database_backup=false           # true or false
diff --git a/freebsd/resources/pf.sh b/freebsd/resources/pf.sh
index f53ca52..2db4c90 100755
--- a/freebsd/resources/pf.sh
+++ b/freebsd/resources/pf.sh
@@ -21,5 +21,8 @@ echo 'pflog_logfile="/var/log/pflog"' >> /etc/rc.conf
 cp pf/pf.conf /etc/pf.conf
 
 #add the pf table files
-touch /etc/pf-block.conf
 touch /etc/pf-pass.conf
+touch /etc/pf-block.conf
+touch /etc/pf-block-sip-auth-ip.conf
+touch /etc/pf-block-sip-auth-fail.conf
+
diff --git a/freebsd/resources/pf/pf.conf b/freebsd/resources/pf/pf.conf
index 61a8847..ee914c5 100755
--- a/freebsd/resources/pf/pf.conf
+++ b/freebsd/resources/pf/pf.conf
@@ -1,24 +1,41 @@
+
+#define interfaces
 #ext_if="em0"
-set skip on lo0
+
+#normalize packets
 scrub in all
 
-antispoof for lo0
-table <fail2ban> persist
-table <pf-block> persist file "/etc/pf-block.conf"
-table <pf-pass> persist file "/etc/pf-pass.conf"
-pass in quick from <pf-pass> to any keep state
+#skip rule for loopback interface
+set skip on lo0
 
-pass out quick all
+#prevent spoofing for all interfaces
+antispoof quick for all
+
+#allow traffic on loopback
 pass quick on lo0 all
 
-block in all
-block in quick from <fail2ban>
-block in quick from <pf-block>
-#antispoof quick for $ext_if
+#add the pf tables
+table <pf-pass> persist file "/etc/pf-pass.conf"
+table <pf-block> persist file "/etc/pf-block.conf"
+table <sip-auth-ip> persist file "/etc/pf-block-sip-auth-ip.conf"
+table <sip-auth-fail> persist file "/etc/pf-block-sip-auth-fail.conf"
 
+#allow outbound traffic
+pass out quick all
+
+#pass allowed addresses
+pass in quick from <pf-pass> to any keep state
+
+#block traffic from blocked addresses
+block in quick from <pf-block>
+block in quick from <sip-auth-ip>
+block in quick from <sip-auth-fail>
+
+#allow ICMP
 pass in quick inet proto icmp all
 pass in quick inet6 proto icmp6 all
 
+#allow additional ports
 pass in quick inet proto tcp from any to any port 22 keep state
 pass in quick inet proto tcp from any to any port 80 keep state
 pass in quick inet proto tcp from any to any port 443 keep state
@@ -27,3 +44,5 @@ pass in quick inet proto tcp from any to any port 5060:5091 keep state
 pass in quick inet proto udp from any to any port 5060:5091 keep state
 pass in quick inet proto udp from any to any port 16384:32768 keep state
 
+#default block rule
+block in all