Can't find any good example on the net.
Can you please help with making this a working PF file?
Thanks.
Code:
set skip on lo0
# Block everything by default
block log all
# In
pass in quick on $EXT inet proto tcp from any to port {22, 80}
# Out
pass out quick on $EXT inet all
# pfctl -vvnf test.pf
EXT = "em0"
set skip on { lo0 }
@0 block drop log all
@1 pass in quick on em0 inet proto tcp from any to any port = ssh flags S/SA keep state
@2 pass in quick on em0 inet proto tcp from any to any port = www flags S/SA keep state
@3 pass out quick on em0 inet all flags S/SA keep state
# activate spoofing protection for all interfaces
block in quick from urpf-failed
pass in on $ext_if proto tcp from any to 202.4.2.1 port 80 flags S/SA synproxy state
# catches any attempts to connect to TCP port 80
pass in on egress inet proto tcp to (egress) port 80 \
rdr-to $comp3 synproxy state
pass in inet proto icmp all icmp-type $icmp_types
# traffic must be passed to and from the internal network
pass in on $int_if
# Block PING to a server
block return-icmp in quick on fxp0 proto icmp from any to 10.0.0.1
# block IPs with high connection rates
block quick from <bad_hosts>
pass in on $ext if proto tcp to $webserver port www flags S/SA keep state \
(max-src-conn-rate 100/10, overload <bad_hosts> flush global)