ext_if="vtnet0"# ext_if2="vtnet1"set limit { states 100000, frags 100000,

1. ext_if="vtnet0"
2. # ext_if2="vtnet1"
3.  
4. set limit { states 100000, frags 100000, src-nodes 100000, table-entries 100000 }
5.  
6. game_ports="{ 17320, 17422, 17534, 17676, 17478, 17580, 17682, 17784, 17886, 17988, 20000, 20001, 20002, 20003, 20004, 20005, 21000, 21001, 21002, 21003, 21004, 21005, 22000, 22001, 22002, 22003, 22004, 22005, 23000, 23001, 23002, 23003, 23004, 23005, 24000, 24001, 24002, 24003, 24004, 24005, 25000, 25001, 25002, 25003, 25004, 25005, 31000, 31001 }"
7. service_ports="{ 0 }"
8.  
9. table <trusted_hosts> const { 0, 0, 0 }
10. table <abusive_hosts> persist
11. table <country_block> persist \
12. file "/root/country_block/cn.txt" \
13. file "/root/country_block/id.txt" \
14. file "/root/country_block/in.txt" \
15. file "/root/country_block/ph.txt" \
16. file "/root/country_block/th.txt" \
17. file "/root/country_block/vn.txt"
18.  
19. # options
20. set block-policy drop
21. set loginterface $ext_if
22. set skip on lo
23.  
24. scrub on $ext_if reassemble tcp no-df random-id
25.  
26. antispoof quick for { lo0 $ext_if}
27. #antispoof quick for { lo0 $ext_if $ext_if2}
28.  
29. block in
30.  
31. pass out all keep state
32. pass out on $ext_if all modulate state
33.  
34. pass in quick from <trusted_hosts>
35. block in quick from <abusive_hosts>
36. block in quick from <country_block>
37.  
38. pass in inet proto icmp all icmp-type echoreq
39.  
40. pass in on $ext_if proto tcp to any port $game_ports flags S/SA keep state \
41. (max-src-conn 30, max-src-conn-rate 15/5, overload <abusive_hosts> flush)
42.  
43. pass in on $ext_if proto tcp to any port $service_ports flags S/SA keep state \
44. (max-src-conn 30, max-src-conn-rate 25/3, overload <abusive_hosts> flush)