ext_if="em0" # change to your network interface name
service_ports="{ 22, 25, 80, 53, 443, 3306, 8080 }"
application_ports="{ 8332, 8333, 6688, 6689, 55001 } # change to ports which is needed by your apps
table <trusted_hosts> const { my.ip.one.address, my.ip.two.adress, 8.8.8.8, 8.8.8.4 } # change my ip adress to your ip adress
table <abusive_hosts>
# options
set block-policy drop
set loginterface $ext_if
set skip on lo
scrub on $ext_if reassemble tcp no-df random-id
antispoof quick for { lo0 $ext_if }
block in
pass out all keep state
pass out on $ext_if all modulate state
pass in quick from <trusted_hosts>
block in quick from <abusive_hosts>
pass in inet proto icmp all icmp-type echoreq
pass in on $ext_if proto tcp to any port $service_ports flags S/SA keep state \
(max-src-conn 30, max-src-conn-rate 25/5, overload <abusive_hosts> flush)
pass in on $ext_if proto {tcp,udp} to any port $application_ports flags S/SA keep state \
(max-src-conn 30, max-src-conn-rate 25/5, overload <abusive_hosts> flush)
##ban some ip :: pfctl -t abusive_hosts -T add 8.8.8.8
##remove ban :: pfctl -t abusive_hosts -T delete 8.8.8.8
##remove all banned ips :: pfctl -t abusive_hosts -T flush