# Public interface
ext_if="em0"

table <bruteforce> persist

# Set and drop these IP ranges on public interface
martians = "{ 0.0.0.0/8, 127.0.0.0/8 }"

# 192.168.0.0/16, 172.16.0.0/12, \
#	      10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
#	      240.0.0.0/4 }"

webports = "{ 8080, 8443 }"

tcp_services = "{ domain, ntp, smtp, www, https, ssh }"
udp_services = "{ domain, ntp }"

# Skip all PF processing on loopback interface
set skip on lo

# Log statistics on interface
set loginterface $ext_if

# Packet normalization
scrub in all

# Redirect http and https ports to 8080 and 8443, resp.
no rdr on $ext_if proto tcp from <bruteforce> to any
rdr on $ext_if proto tcp from any to any port 80 -> 127.0.0.1 port 8080
rdr on $ext_if proto tcp from any to any port 443 -> 127.0.0.1 port 8443

# Default policy
#block return in log all
#block out all

# Protect against spoofed or forget IP addresses
antispoof quick for $ext_if

# Drop all Non-Routable Addresses 
block drop in quick on $ext_if from $martians to any
block drop out quick on $ext_if from any to $martians

# Protect against SSH attacks
block quick from <bruteforce>
pass quick proto { tcp, udp } from any to any port ssh \
    flags S/SA keep state \
    (max-src-conn 10, max-src-conn-rate 5/3, \
    overload <bruteforce> flush global)

# Allow Ping 
pass inet proto icmp icmp-type echoreq

# Webserver 
#pass proto tcp from any to $ext_if port $webports

# Allow essential outgoing traffic 
pass out quick on $ext_if proto tcp to any port $tcp_services
pass out quick on $ext_if proto udp to any port $udp_services