Pf /

Vpn

ExtIf = "vio0"
IP4 = "192.168.1.5"
IP6 = "2fe80:fce1:5::/64"
VPN = "10.0.0.0/8"
FlushUDP = "max-pkt-rate 1000/10 keep state (max 1000, source-track rule, max-src-nodes 200, max-src-states 200)"
Flush = "keep state (max 1000, source-track rule, max-src-nodes 100, max-src-conn-rate 50/10 overload <badhosts> flush global)"
FlushStrict = "keep state (max 1000, source-track rule, max-src-nodes 100, max-src-conn-rate 50/10 overload <badhosts> flush global)"

set skip on lo0
set loginterface $ExtIf
#set ruleset-optimization profile
set syncookies adaptive (start 25%, end 12%)

table <ilines> persist file "/etc/pf/ilines"
table <badhosts> persist file "/etc/pf/badhosts"

# udp and icmp
block in quick from <badhosts>
pass in quick proto udp to {$IP4 $IP6} port domain $FlushUDP
pass in quick proto udp to {$IP4 $IP6} port ntp $FlushUDP

# road warrior vpn
pass in quick inet proto udp to {$IP4 $IP6 $VPN} port {isakmp, ipsec-nat-t} tag IKED
pass in inet proto esp to {$IP4 $IP6 $VPN} tag IKED
pass on enc0 inet tagged ROADW
match out on $ExtIf inet tagged ROADW nat-to $IP4
match in quick on enc0 inet proto { tcp, udp } to port 53 rdr-to 127.0.0.1 port 53

#pass in quick proto udp to {$IP4 $IP6} port {isakmp ipsec-nat-t} $FlushUDP
#block in quick proto udp to {$IP4 $IP6}
block in quick from urpf-failed
match in all scrub (no-df random-id max-mss 1440)
pass in quick on $ExtIf inet proto icmp icmp-type 8 code 0 $FlushUDP # icmp packets
pass in quick on $ExtIf inet proto icmp icmp-type 3 code 4 $FlushUDP # icmp needfrag (MTU)
pass in quick on $ExtIf proto ipv6-icmp $FlushUDP
# tcp
pass in quick proto tcp to {$IP4 $IP6 $VPN} port domain $Flush
pass in quick proto tcp to {$IP4 $IP6} port auth $Flush
pass in quick proto tcp to {$IP4 $IP6} port {smtp submission smtps imap imaps pop3 pop3s} $Flush
pass in quick proto tcp to {$IP4 $IP6} port {http https} $Flush
pass in quick proto tcp from <ilines> to {$IP4 $IP6} port { 6660:6669 6697 6997 7000 9999 16667 16697 } #irc
pass in quick proto tcp to {$IP4 $IP6} port { 6660:6669 6697 6997 7000 9999 16667 16697 } $Flush #irc
pass in quick proto tcp to {$IP4 $IP6} port { 1314 13140 1337 31337 } $Flush #bnc
pass in quick proto tcp to {$IP4 $IP6} port 29173 $Flush #wraith
pass in quick proto tcp to {$IP4 $IP6} port 7777 $Flush #paster
pass in quick proto tcp to {$IP4 $IP6} port ssh $FlushStrict

#block in all
pass out quick from {$IP4 $IP6} # allow non-spoofed packets