ext_if="igb0" set skip on lo set block-policy drop set loginterface $ext_if set optimization normal set ruleset-optimization basic set limit { states 200000, frags 200000, src-nodes 100000, table-entries 400000 } nonrout = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4, 255.255.255.255/32 }" int_services = "{smtp, smtps, submission, pop3, pop3s, imap, imaps, www, https, ftp, sftp}" out_services = "{domain, ntp}" icmp_types = "{ echoreq unreach }" # Lists table <whitelist> persist file "/var/pf/whitelist.txt" table <blocklist> persist file "/var/pf/bans.txt" scrub in on $ext_if all fragment reassemble pass on $ext_if from <whitelist> to any keep state antispoof for $ext_if inet block return in log all block proto udp block in from no-route to any block in from urpf-failed to any block in quick on $ext_if proto tcp flags FUP/WEUAPRSF block in quick on $ext_if proto tcp flags WEUAPRSF/WEUAPRSF block in quick on $ext_if proto tcp flags SRAFU/WEUAPRSF block in quick on $ext_if proto tcp flags /WEUAPRSF block in quick on $ext_if proto tcp flags SR/SR block in quick on $ext_if proto tcp flags SF/SF block in quick on $ext_if from $nonrout to any block out quick on $ext_if from any to $nonrout block in quick on $ext_if from <blocklist> block out quick on $ext_if to <blocklist> pass in quick on $ext_if proto { tcp udp } to port $int_services pass out quick on $ext_if proto { tcp udp } to port $out_services pass quick inet proto icmp icmp-type $icmp_types pass quick proto ipv6-icmp from any to any # Allow traceroute pass out on $ext_if inet proto udp to port 33433 >< 33626