bogons="{0.0.0.0/8, 10.0.0.0/8, 127.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, 192.0.0.0/24, 192.0.2.0/24, 192.88.99.0/24, 192.168.0.0/16, 198.18.0.0/15, 198.51.100.0/24, 203.0.113.0/24, 224.0.0.0/4, 240.0.0.0/4, 255.255.255.255/32}"
set timeout tcp.closing 60
set timeout tcp.finwait 60
set timeout tcp.closed 30
ext_if="em0"
int_if="lagg0"
opt_if="em1"
localnet=$int_if:network
###client_out="{ssh,domain,smtp,pop3,pop3s,syslogd-ng,auth,http,https,munin,dnsmasq,openarena}"###
client_out="{22,53,25,465,514,587,110,995,113,80,443,4949,5353,27960}"
udp_services="{67,68,53,123,514,27950,27960}"#{dhcp,domain,123/ntp,syslog-ng,openarena}#
icmp_types="{echoreq,unreach}"
#rules#
set skip on lo0
scrub in all
nat on $ext_if from $localnet to any -> ($ext_if)
nat on $ext_if from $opt_if:network to any -> ($ext_if) static-port
block in all
block drop in quick on $ext_if from $bogons to any
pass quick inet proto {tcp,udp} from $localnet to any port $udp_services
pass in quick on $int_if proto udp from port = 68 to port = 67
pass out quick on $int_if proto udp from port = 67 to port = 68
pass log inet proto icmp all icmp-type $icmp_types
pass inet proto tcp from $localnet to any port $client_out
pass out all keep state
block drop out quick on $ext_if from any to $bogons
