# pf config by Tim Niederhausen# Change the value to reflect your public i

1. # pf config by Tim Niederhausen
2.  
3.  
4. # Change the value to reflect your public interface. You can see this with ifconfig.
5. ext_if="vtnet0"
6.  
7.  
8. # Ports used for services
9. service_ports="{ 22, 628, 6286, 3306, 80 }"
10.  
11. # Ports used by Metin2
12. game_ports="{11003, 13000, 14004, 19000, 21000, 21001, 21002, 21003, 21004, 11007, 13099, 14004, 14005, 15000, 13001, 14099, 9900, 9901, 9902, 9903, 9904, 9905, 9906, 9907, 9908, 9909, 9910, 9911, 9912, 9913, 9914, 15099 }"
13.  
14. # IP addresses that should override the firewall rules, such as your web server.
15. table <trusted_hosts> const { 185.61.137.87, 194.169.211.13, 185.11.146.113 }
16.  
17. table <abusive_hosts> persist
18.  
19. table <blockedips> persist file "/etc/pf.blocked.ip.conf"
20.  
21. set block-policy drop
22. set loginterface $ext_if
23. set skip on lo
24.  
25. scrub on $ext_if reassemble tcp no-df random-id
26.  
27. antispoof quick for { lo0 $ext_if }
28.  
29. block in
30.  
31. pass out all keep state
32. pass out on $ext_if all modulate state
33.  
34. pass in quick from <trusted_hosts>
35. block in quick from <abusive_hosts>
36.  
37. # Allow ping in
38. pass in inet proto icmp all icmp-type echoreq
39.  
40. # Rate limits, trial and error
41. pass in on $ext_if proto {tcp,udp} to any port $service_ports flags S/SA keep state \
42. (max-src-conn 30, max-src-conn-rate 15/5, overload <abusive_hosts> flush)
43.  
44.  
45. pass in on $ext_if proto tcp to any port $game_ports flags S/SA keep state \
46. (max-src-conn 30, max-src-conn-rate 15/5, overload <abusive_hosts> flush)
47.  
48. block drop in log (all) quick on $ext_if from <blockedips> to any
49.  
50. pass in on $ext_if inet proto icmp all icmp-type echoreq keep state