ext_if="igb0"
set skip on lo
set block-policy drop
set loginterface $ext_if
set optimization normal
set ruleset-optimization basic
set limit { states 200000, frags 200000, src-nodes 100000, table-entries 400000 }

nonrout = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4, 255.255.255.255/32 }"
int_services = "{smtp, smtps, submission, pop3, pop3s, imap, imaps, www, https, ftp, sftp}"
out_services = "{domain, ntp}"
icmp_types = "{ echoreq unreach }"

# Lists
table <whitelist> persist file "/var/pf/whitelist.txt"
table <blocklist> persist file "/var/pf/bans.txt"

scrub in on $ext_if all fragment reassemble

pass on $ext_if from <whitelist> to any keep state

antispoof for $ext_if inet

block return in log all

block proto udp

block in from no-route to any

block in from urpf-failed to any

block in quick on $ext_if proto tcp flags FUP/WEUAPRSF
block in quick on $ext_if proto tcp flags WEUAPRSF/WEUAPRSF
block in quick on $ext_if proto tcp flags SRAFU/WEUAPRSF
block in quick on $ext_if proto tcp flags /WEUAPRSF
block in quick on $ext_if proto tcp flags SR/SR
block in quick on $ext_if proto tcp flags SF/SF

block in quick on $ext_if from $nonrout to any
block out quick on $ext_if from any to $nonrout

block in quick on $ext_if from <blocklist>
block out quick on $ext_if to <blocklist>

pass in quick on $ext_if proto { tcp udp } to port $int_services
pass out quick on $ext_if proto { tcp udp } to port $out_services

pass quick inet proto icmp icmp-type $icmp_types
pass quick proto ipv6-icmp from any to any

# Allow traceroute
pass out on $ext_if inet proto udp to port 33433 >< 33626