################ Macros ######################################################
### Interfaces ###
ext_if ="em0"
int_if ="ue0"
all_if ="{ em0, ue0 }"
### ports ###
icmp_types="{ echoreq unreach }"
### Queues, States and Types ###
IcmpPing ="icmp-type 8 code 0"
SshQueue ="(ssh_bulk, ssh_login)"
SynState ="flags S/UAPRSF synproxy state"
TcpState ="flags S/UAPRSF modulate state"
UdpState ="keep state"
### Stateful Tracking Options (STO) ###
OpenSTO ="(max 90000, source-track rule, max-src-conn 1000, max-src-nodes 256)"
SmtpSTO ="(max 200, source-track rule, max-src-conn 10, max-src-nodes 256, max-src-conn-rate 200/30)"
SshSTO ="(max 100, source-track rule, max-src-conn 10, max-src-nodes 100, max-src-conn-rate 100/30, overload <BLOCKTEMP> flush global)"
WebSTO ="(max 8192, source-track rule, max-src-conn 128, max-src-nodes 512, max-src-conn-rate 500/100)"
### Tables ###
table <BLOCKTEMP> counters
table <BLOCKPERM> counters file "/var/cache/pfblock"
table <jails> persist
################ Options #####################################################
#############################
################ Misc Options
set skip on lo
set debug urgent
set block-policy drop
set loginterface $ext_if
set state-policy if-bound
set fingerprints "/etc/pf.os"
set ruleset-optimization none
#############################
############# Timeout Options
set optimization normal
set timeout { tcp.closing 60, tcp.established 7200}
################ Normalization ###############################################
#set-tos 0x2E is Maximize-Reliability + Minimize-Delay + Maximize-Throughput
scrub in on $all_if all fragment reassemble
################ Translation #################################################
### NAT and Redirection rules
#############################
######## bastille and $int_if
#nat on $ext_if from <jails> to any -> ($ext_if)
rdr-anchor "rdr/*"
nat on $ext_if inet from !($ext_if) to any -> ($ext_if)
#Matrix
rdr on $ext_if inet proto tcp from !($ext_if) to ($ext_if) port 8008 -> 10.0.2.2
# DENY rogue redirection
no rdr
################ Filtering ###################################################
#############################
################ WAN Filtrage
#############################
###################exclusions
block drop in log quick on $ext_if from <BLOCKPERM> to any
block drop in log quick on $ext_if proto udp from <BLOCKTEMP> to any
#############################
####### $ext_if default block
antispoof for $all_if
block drop in log on $ext_if
#############################
############# $ext_if inbound
#http https
pass in log on $ext_if inet proto tcp from !($ext_if) to ($ext_if) port https $TcpState $WebSTO
pass in log on $ext_if inet proto tcp from !($ext_if) to ($ext_if) port www $TcpState $WebSTO
#mail
pass in log on $ext_if inet proto tcp from !($ext_if) to ($ext_if) port { 25, 465, 587, 2525 } $TcpState $OpenSTO
pass in log on $ext_if inet proto tcp from !($ext_if) to ($ext_if) port { 143, 993 } $TcpState $OpenSTO
#ssh
pass in log on $ext_if inet proto tcp from !($ext_if) to ($ext_if) port 31336 $TcpState $OpenSTO
#mpd
pass in log on $ext_if inet proto tcp from !($ext_if) to ($ext_if) port 6600 $TcpState $OpenSTO
# Samba
pass in log on $ext_if inet proto udp from !($ext_if) to ($ext_if) port { 137, 138 } $UdpState $OpenSTO
pass in log on $ext_if inet proto tcp from !($ext_if) to ($ext_if) port { 139, 445 } $TcpState $OpenSTO
# Nfs
pass in log on $ext_if inet proto { tcp, udp } from !($ext_if) to ($ext_if) port { 111, 2049, 20048 } $TcpState $OpenSTO
# Matrix sydent
pass in log on $ext_if inet proto tcp from !($ext_if) to ($ext_if) port 8448 $TcpState $OpenSTO
pass in log on $ext_if inet proto tcp from !($ext_if) to 10.0.2.2 port 8008 $TcpState $OpenSTO
# Spotifyd
pass in log on $ext_if inet proto tcp from !($ext_if) to ($ext_if) port {5353, 4444} $TcpState $OpenSTO
pass in log on $ext_if inet proto udp from !($ext_if) to ($ext_if) port 5353 $UdpState $OpenSTO
# Torrent
pass in log on $ext_if inet proto udp from !($ext_if) to ($ext_if) port {6771, 51413} $UdpState $OpenSTO
pass in log on $ext_if inet proto tcp from !($ext_if) to ($ext_if) port 51413 $TcpState $OpenSTO
# VNC
pass in log on $ext_if inet proto tcp from !($ext_if) to ($ext_if) port 5900 $TcpState $OpenSTO
# ping
pass quick inet proto icmp icmp-type $icmp_types
pass quick inet6 proto icmp6 icmp6-type $icmp6_types
#############################
############ pass out network
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
#############################
####### pass internal network
pass in on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state