if = "{ re0 }" table persist { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 224.0.0.0/5 } icmp_types = "echoreq" open_tcp = "{ 22, 25, 80, 110, 143, 443 }" open_udp = "{ 22, 80 }" jails = "{ 10.0.0.2, 10.0.0.3 }" ip = www = 10.0.0.2 mail = 10.0.0.3 set block-policy drop set skip on lo0 set timeout { interval 10, frag 30 } set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 } set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 } set timeout { udp.first 60, udp.single 30, udp.multiple 60 } set timeout { icmp.first 20, icmp.error 10 } set timeout { other.first 60, other.single 30, other.multiple 60 } set timeout { adaptive.start 0, adaptive.end 0 } set limit { states 10000, frags 5000 } set loginterface re0 set optimization normal set require-order yes set fingerprints "/etc/pf.os" set ruleset-optimization basic scrub in all fragment reassemble random-id rdr on $if proto tcp from any to $if port { 80, 443 } -> $www rdr on $if proto udp from any to $if port { 80 } -> $www rdr on $if proto tcp from any to $if port { 25, 110, 143 } -> $mail nat on $if proto {tcp udp icmp} from $jails to any -> $ip block log all block return block in quick on $if inet from to any antispoof quick for $if pass in on $if proto tcp from any to any port $open_tcp keep state pass in on $if proto udp from any to any port $open_udp keep state pass out log on $if inet proto tcp from $mail to any port 25 flags S/SA synproxy state pass out quick all keep state pass in on $if inet proto icmp all icmp-type $icmp_types keep state pass in on $if inet proto udp from any to any port 33433 >< 33626 keep state