## macros ############################################################### ext_if="vtnet0" ## filter ############################################################### ## scrub that shit scrub in all fragment reassemble no-df max-mss 1440 # spamd - blacklist only table persist rdr pass on $ext_if inet proto tcp from to \ $ext_if port smtp -> 127.0.0.1 port 8025 ## block that shit #antispoof for $ext_if block in inet6 block drop in log on $ext_if all private = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \ 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \ 0.0.0.0/8, 240.0.0.0/4 }" block drop in quick on $ext_if from $private to any block drop out quick on $ext_if from any to $private # block the bruteforce bastards table persist block drop in quick on $ext_if from ## pass that shit pass out quick on $ext_if inet proto tcp \ from ($ext_if) to any \ flags S/SA modulate state pass out quick on $ext_if inet proto { udp, icmp } \ from ($ext_if) to any \ keep state pass in quick on $ext_if inet proto icmp \ from any to ($ext_if) \ keep state #pass in quick on $ext_if inet proto tcp \ # from any to ($ext_if) \ # port { 21, > 49151 } \ # flags S/SA modulate state pass in quick on $ext_if inet proto tcp \ from any to ($ext_if) \ port = 22 \ flags S/SA modulate state \ (max-src-conn-rate 4/60, overload flush global) # mail pass in quick on $ext_if inet proto tcp \ from any to ($ext_if) \ port = 25 \ flags S/SA modulate state pass in quick on $ext_if inet proto tcp \ from any to ($ext_if) \ port = 465 \ flags S/SA modulate state pass in quick on $ext_if inet proto tcp \ from any to ($ext_if) \ port = 993 \ flags S/SA modulate state