# Macrosext_if = "bge0"lan_net = "192.168.0.0/24"tcp_services

1. # Macros
2.  
3. ext_if       = "bge0"
4. lan_net      = "192.168.0.0/24"
5. tcp_services = "{ ssh www https ipp ntp }"
6. udp_services = "{ ipp }"
7. icmp_types   = "{ echoreq unreach }"
8.  
9. # Tables
10.  
11. table <rfc1918> const { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }
12. table <ssh_abuse> persist
13.  
14. # Options
15.  
16. set block-policy drop                   # t(-_-t)
17. set loginterface $ext_if
18. set skip on lo0
19.  
20. # Filter Rules
21.  
22. block log all                           # t(-_-t)
23.  
24. block quick from <ssh_abuse>            # t(-_-t)
25.  
26. antispoof log quick for  $ext_if        # t(-_-t)
27. block in  log quick from urpf-failed    # t(-_-t)
28.  
29. pass inet proto tcp to port $tcp_services keep state
30. pass inet proto udp to port $udp_services keep state
31.  
32. pass log inet proto icmp icmp-type $icmp_types
33.  
34. pass quick proto tcp from any to any port ssh flags S/SA keep state \
35.         (max-src-conn 15, max-src-conn-rate 15/5, overload <ssh_abuse> flush global)