FreeBSD 10 host firewall

1. ext_if = "em0"
2. set fingerprints "/etc/pf.os"
3. scrub in on $ext_if all fragment reassemble
4. block all
5. set skip on lo0
6. antispoof for $ext_if inet
7.  
8. icmp_types= "{echoreq, unreach}"
9. icmp6_types = "{ unreach, toobig, timex, paramprob, echoreq, echorep, neighbradv, neighbrsol, routeradv, routersol }"
10.  
11. block in quick on $ext_if proto tcp flags FUP/WEUAPRSF
12. block in quick on $ext_if proto tcp flags WEUAPRSF/WEUAPRSF
13. block in quick on $ext_if proto tcp flags SRAFU/WEUAPRSF
14. block in quick on $ext_if proto tcp flags /WEUAPRSF
15. block in quick on $ext_if proto tcp flags SR/SR
16. block in quick on $ext_if proto tcp flags SF/SF
17. block in quick on $ext_if proto tcp from any to any flags FUP/FUP
18.  
19. block in log quick on $ext_if from any os "NMAP" to any label NMAPScan
20.  
21. pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state
22. pass out on $ext_if inet6 proto { tcp, udp, icmp6 } from any to any modulate state
23.  
24. pass in on $ext_if proto tcp from any to any port ssh flags S/SA synproxy state
25. pass in on $ext_if proto tcp from any to any port smtp flags S/SA synproxy state
26. pass in on $ext_if proto tcp from any to any port http flags S/SA synproxy state
27. pass in on $ext_if proto tcp from any to any port https flags S/SA synproxy state
28. pass in on $ext_if proto tcp from any to any port imap flags S/SA synproxy state
29. pass in on $ext_if proto tcp from any to any port domain flags S/SA synproxy state
30. pass in on $ext_if proto tcp from any to any port submission flags S/SA synproxy state
31. pass in on $ext_if proto udp from any to any port domain
32.  
33. pass in on $ext_if inet6 proto tcp from any to any port ssh flags S/SA synproxy state
34. pass in on $ext_if inet6 proto tcp from any to any port smtp flags S/SA synproxy state
35. pass in on $ext_if inet6 proto tcp from any to any port http flags S/SA synproxy state
36. pass in on $ext_if inet6 proto tcp from any to any port https flags S/SA synproxy state
37. pass in on $ext_if inet6 proto tcp from any to any port imap flags S/SA synproxy state
38. pass in on $ext_if inet6 proto tcp from any to any port domain flags S/SA synproxy state
39. pass in on $ext_if inet6 proto tcp from any to any port submission flags S/SA synproxy state
40. pass in on $ext_if inet6 proto udp from any to any port domain
41.  
42. pass in inet proto icmp all icmp-type $icmp_types keep state
43. pass in inet6 proto icmp6 all icmp6-type $icmp6_types keep state
44.  
45. table <sshguard> persist
46. block in quick on $ext_if proto tcp from <sshguard> to any port 22 label "ssh bruteforce"
47.  
48. anchor "emerging-threats"
49. load anchor "emerging-threats" from "/etc/emerging-PF-ALL.rules"