hbasria · November 21, 2020 19:32
diff --git a/pf.conf b/pf.conf
 ext_if="vtnet0"

 icmp_types = "{ echoreq unreach }"

 table <bruteforce> persist

 table <rfc6890> { 0.0.0.0/8 10.0.0.0/8 100.64.0.0/10 127.0.0.0/8 169.254.0.0/16          \
                  172.16.0.0/12 192.0.0.0/24 192.0.0.0/29 192.0.2.0/24 192.88.99.0/24    \
                  192.168.0.0/16 198.18.0.0/15 198.51.100.0/24 203.0.113.0/24            \
                  240.0.0.0/4 255.255.255.255/32 }

 set skip on lo0

 scrub in all fragment reassemble max-mss 1440

 antispoof quick for $ext_if

 block in quick on $ext_if from <rfc6890>

 block return out quick on egress to <rfc6890>

 block all

 pass in on $ext_if proto tcp to port { 22 } \
    keep state (max-src-conn 15, max-src-conn-rate 3/1, \
        overload <bruteforce> flush global)

 pass out proto { tcp udp } to port { 22 53 80 123 443 }

 pass out inet proto icmp icmp-type $icmp_types
	ext_if="vtnet0"

	icmp_types = "{ echoreq unreach }"

	table <bruteforce> persist

	table <rfc6890> { 0.0.0.0/8 10.0.0.0/8 100.64.0.0/10 127.0.0.0/8 169.254.0.0/16 \
	172.16.0.0/12 192.0.0.0/24 192.0.0.0/29 192.0.2.0/24 192.88.99.0/24 \
	192.168.0.0/16 198.18.0.0/15 198.51.100.0/24 203.0.113.0/24 \
	240.0.0.0/4 255.255.255.255/32 }

	set skip on lo0

	scrub in all fragment reassemble max-mss 1440

	antispoof quick for $ext_if

	block in quick on $ext_if from <rfc6890>

	block return out quick on egress to <rfc6890>

	block all

	pass in on $ext_if proto tcp to port { 22 } \
	keep state (max-src-conn 15, max-src-conn-rate 3/1, \
	overload <bruteforce> flush global)

	pass out proto { tcp udp } to port { 22 53 80 123 443 }

	pass out inet proto icmp icmp-type $icmp_types