ext_if="em0" # replace with actual external interface name i.e., dc0extmail

1. ext_if="em0" # replace with actual external interface name i.e., dc0
2. extmail="88.212.205.9"
3. mailtrap="88.212.205.8"
4. mysql="88.212.204.52"
5. postgres="88.212.205.9"
6. tacchat="88.212.205.4"
7. devel="88.212.205.4"
8. main="88.212.205.9"
9. clients_mail="$clients_mail"
10. table <devel> { $devel, 88.212.205.14 }
11. table <mail> { $extmail, $mailtrap, 88.212.205.2 }
12. table <users> { 88.212.205.6, 88.212.205.7 }
13. table <infotel> const { 195.170.192.0/19, 213.165.192.0/19 }
14. table <galaxy> const { 148.251.68.252/32 }
15. table <me> const { 88.212.204.48/28, 88.212.205.0/28 }
16. table <test_ddos> persist
17. table <bot> persist
18.  
19. table <sshguard> persist
20. table <totalblock> persist
21. # Options: tune the behavior of pf, default values are given.
22. #set timeout { interval 10, frag 30 }
23. #set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
24. #set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
25. #set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
26. #set timeout { icmp.first 20, icmp.error 10 }
27. #set timeout { other.first 60, other.single 30, other.multiple 60 }
28. #set timeout { adaptive.start 0, adaptive.end 0 }
29.  
30. set limit { states 50000, frags 20000, src-nodes 20000 }
31. set limit table-entries 200000
32. set skip on lo0
33. set skip on epair2a
34. set skip on bridge0
35. set skip on bridge1
36. #set loginterface none
37. #set optimization normal
38. set block-policy return
39. #set require-order yes
40. #set fingerprints "/etc/pf.os"
41. scrub in all
42.  
43. table <zombie> file "/etc/pf/zombie" persist
44.  
45. table <spamd> persist
46. table <spamd-white> persist
47. table <spamd-mywhite> persist file "/usr/local/etc/spamd/mywhite"
48.  
49. # Filtering: the implicit first two rules are
50. #pass in all
51. #pass out all
52.  
53. no rdr on { lo0, lo1 } from any to any
54. no rdr inet proto tcp from { 88.212.204.48/28, 88.212.205.0/28} to {88.212.204.48/28, 88.212.205.0/28}
55. no rdr on $ext_if inet proto tcp from <zombie> to any
56. nat on $ext_if inet from 172.16.145.0/24 to any -> $devel
57. nat on $ext_if inet from 10.145.1.13/32 to any -> ($ext_if)
58. nat on $ext_if inet from 10.0.0.0/8 to !<me> -> ($ext_if:0)
59. rdr pass on $ext_if inet proto tcp from <spamd-white> to <mail> port smtp -> $extmail port smtp
60. rdr pass on $ext_if inet proto tcp from <spamd> to <mail> port smtp -> 127.0.0.1 port spamd
61. rdr pass on $ext_if inet proto tcp from !<spamd-mywhite> to <mail> port smtp -> 127.0.0.1 port spamd
62. rdr pass on $ext_if inet proto tcp from any to $main port 4443 -> 91.238.120.141 port 443
63. #block in log on $ext_if proto tcp from ! <russia> to $main port 80
64.  
65. pass quick on lo0
66. pass in quick on $ext_if to $devel
67. pass in on $ext_if from 195.170.218.45
68. pass in quick on $ext_if proto tcp from { 88.212.205.7, 88.212.205.12 } to ($ext_if) port smtp keep state
69. pass in quick on $ext_if proto tcp to { 88.212.205.2 } port submission keep state
70. block in log on $ext_if
71. pass out
72. pass in proto udp to port { domain, ntp, openvpn }
73. pass in on $ext_if proto tcp to port { domain, ftp, ftp-data, ssh, smtp, http, https, submission, pop3, pop3s, imap, imaps, openvpn, 4949, 3128, 1080, 4443, 3000, pptp }
74. pass in on $ext_if proto tcp to <devel> port 3000:3100
75. pass in on $ext_if proto tcp to <devel> port 8000:8100
76.  
77. pass in on $ext_if proto tcp to $mysql port mysql
78. pass in on $ext_if proto tcp to $postgres port postgresql
79.  
80. block drop in log quick from <sshguard>
81.  
82. block log on $ext_if from <totalblock>
83.  
84. block drop in quick on $ext_if proto tcp from <zombie> to <mail> port smtp
85. block drop in quick on $ext_if proto tcp from <zombie> to <mail> port submission
86. block in log quick on $ext_if proto tcp from <sshguard> to any port 22 label "ssh sshguard"
87.  
88. pass in on $ext_if inet proto tcp from any to <mail> port smtp flags S/SA keep state
89. pass out on $ext_if inet proto tcp from 88.212.205.2 to any port smtp flags S/SA keep state
90. pass in on $ext_if inet proto tcp from any to ($ext_if) port http flags S/SA
91.  
92. block out quick log proto tcp from 88.212.205.5 to any port { 80, 5567 } user 11068
93. block out quick log on $ext_if proto tcp from <users> to any port smtp flags S/SA
94. block in quick log on $ext_if proto tcp from any to <users> port > 20000 flags S/SA
95. block out quick log on $ext_if proto tcp from <users> to any port > 1024 user 10657 flags S/SA
96.  
97. block out log on $ext_if proto tcp from 88.212.205.12 to any port smtp
98. block in log on $ext_if proto tcp to any port { 5433, 11211 }
99. block in log on $ext_if proto tcp to { 88.212.205.6, 88.212.205.5 } port mysql
100. block in log on $ext_if proto tcp to port 9000:10000
101. block in log on $ext_if proto tcp to any port { 25672, 5672, 10024, 783, 6379 }
102. block in log on $ext_if proto udp to any port 59721
103. block in log on $ext_if proto { tcp, udp } to any port 1080
104.  
105. pass in from <infotel>
106. pass in from <me>
107. pass in from <galaxy>
108.  
109. pass in on $ext_if proto icmp
110.  
111. pass in proto { tcp, udp } to port 4569
112. pass in on $ext_if from 195.170.218.45
113. pass in on $ext_if to $clients_mail
114. pass in on $ext_if proto tcp to $tacchat port ircd
115. pass in on $ext_if proto { tcp, udp } to port { 3478, 3479 }
116. pass in on $ext_if proto udp to port 49152:65535
117. pass in on $ext_if from 109.252.33.32
118. pass in on $ext_if proto { tcp, udp } to $main port { 138, 139, 445 }
119. pass in on $ext_if from 91.232.135.246
120. pass in on $ext_if proto tcp to $devel port { http, https, 5173 }
121. # rabbitmq
122. block in on $ext_if proto tcp to port { 4369, 25672 }
123.