# vim: set ft=pf
# /etc/pf.conf

ext_if="vtnet0"

webports = "{http, https}"
int_tcp_services = "{domain, ntp, smtp, www, https, ftp}"
int_udp_services = "{domain, ntp}"

set skip on lo
set loginterface $ext_if

# Normalization
scrub in all random-id fragment reassemble

block return in log all
block out all

antispoof quick for $ext_if

# Block 'rapid-fire brute force attempts
table <bruteforce> persist
block quick from <bruteforce>

# ftp-proxy needs to have an anchor
anchor "ftp-proxy/*"

# SSH is listening on port 26
pass in quick proto tcp to $ext_if port 26 keep state (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush global)

# Webserver
pass proto tcp from any to $ext_if port $webports

# Allow essential outgoing traffic
pass out quick on $ext_if proto tcp to any port $int_tcp_services
pass out quick on $ext_if proto udp to any port $int_udp_services