Code:
# Allow incoming ssh, http, bind traffic
# pass in on $ext_if proto tcp from any to any port 25
pass in on $ext_if proto tcp from any to any port ssh flags S/SA synproxy state
pass in on $ext_if proto udp from any to any port domain
pass in on $ext_if proto tcp from any to any port domain flags S/SA synproxy state
pass in on $ext_if proto tcp from any to any port http flags S/SA synproxy state
pass inet proto icmp all icmp-type $icmp_types keep state
## add your rule below ##
consider,
Code:
# Allow incoming ssh, http, bind traffic
# pass in on $ext_if proto tcp from any to any port 25
pass in on $ext_if inet proto tcp \
from !<blockedip> to ($ext_if) port ssh flags S/SA synproxy state
pass in on $ext_if inet proto udp \
from !<blockedip> to ($ext_if) port domain
pass in on $ext_if inet proto tcp \
from !<blockedips> to ($ext_if) port domain flags S/SA synproxy state
pass in on $ext_if inet proto tcp \
from !<blockedips> to ($ext_if) port http flags S/SA synproxy state
Among the alternatives to consider, "
($ext_if)" is far better then "any."