Sure
Code:
ext_if = "rl1"
int_if = "rl0"
services = "{ 22, 80, 443 }"
icmp_types = "{ echoreq, unreach }"
set block-policy drop
set loginterface $ext_if
table <blocked> persist # Permanent table of blocked hosts
set skip on lo # Allow all loopback
match in on $ext_if all scrub (no-df)
match out on $ext_if all scrub (no-df random-id)
nat on $ext_if from !($ext_if) -> ($ext_if:0) # NAT
block in log quick from <blocked> # Block and forget banned
block in log # Default: block incoming traffic
block return in log on $ext_if inet proto tcp from any to any port 113
pass out log # Allow all outgoing traffic
antispoof quick for { lo, $ext_if, $int_if }
pass in on $ext_if inet proto tcp from any to any port $services
# Turn on when we want externals to PING
# pass in on $ext_if inet proto icmp to ($ext_if) icmp-type $icmp_types
pass in on $int_if # Local network traffic OK
# Allow SSH on the external interface, but add the client to blocked
# table if it tries to connect more than X times in Y seconds
pass in on $ext_if inet proto tcp to ($ext_if) port ssh keep state \
(max-src-conn-rate 2/150, overload <blocked> flush globa