pf synproxy

1. #scrub in all no-df random-id
2.  
3. set skip on lo0
4.  
5. nat-anchor "ftp-proxy/*"
6. rdr-anchor "ftp-proxy/*"
7.  
8. rdr pass proto tcp from any to any port 21 -> 127.0.0.1 port 8021
9.  
10. anchor "ftp-proxy/*"
11.  
12. pass quick proto {icmp, icmp6, ospf}
13. pass out quick on {re2, re3} proto carp keep state (no-sync)
14.  
15. anchor quick from any to (re0) {
16. pass quick proto tcp from any to any port 22
17. block return log (to pflog1)
18. }
19.  
20. #block in quick on re2 from urpf-failed
21. #block in quick on re3 from urpf-failed
22.  
23. anchor quick from any to (re2:network) {
24. pass quick log proto tcp from any to any port 22 synproxy state
25. #block return log (to pflog1)
26. }
27.  
28. anchor quick from any to (re3:network) {
29. pass quick proto tcp from any to any port {20,21,22} modulate state
30. #block return log (to pflog1)
31. }
32.  
33. pass in quick on {re2, re3} flags any keep state
34.  
35. # block return in log (to pflog1)