Code:
# Macros: define common values, so they can be referenced and changed easily.
ext_if="rl0"
tcp_services = "{ domain, www, https, 10000 }"
udp_services = "{ domain }"
brute_block = "{ ssh, 10000 }"
# Tables
table <sshadmins> persist file "/etc/sshallow"
table <bruteforce> persist file "/etc/brufeforce"
# Set Optimizations:
set loginterface $ext_if
set skip on lo0
# Normalization / scrubbing
scrub in all
antispoof quick for { lo0 $ext_if }
block all
block quick from <bruteforce>
pass proto udp to any port $udp_services
pass proto tcp from any to self port $tcp_services
pass in on $ext_if inet proto icmp all icmp-type 8
# Allow access to sshd.
pass in on $ext_if proto tcp from <sshadmins> to self port ssh
# Allow acces to ftp
pass out on $ext_if proto tcp from $if to any port { 21 , 20 }
# brute force blocking
pass quick proto { tcp, udp } from any to any port ssh keep state (max-src-conn 50, max-src-conn-rate 8/60, overload <bruteforce> flush global)