islander · April 13, 2019 02:24
diff --git a/pf.conf b/pf.conf
 # vim: set ft=pf
 # /etc/pf.conf
 # Required order: options, queueing, translation and filtering.

 ext_if="vtnet0"

 # default openvpn settings for the client network
 openvpn_clients = "10.8.0.0/24"

 # put your tunnel interface here, it is usually tun0
 int_vpn = "tun0"

 # OpenVPN by default runs on udp port 1194
 openvpn_udp = "{ 1194 }"

 trusted_hosts = "{ 192.0.2.1, 203.0.113.254 }"

 int_tcp_services = "{ domain, ntp, smtp, www, https, ftp, 6697, 5222 }"
 int_udp_services = "{ domain, ntp }"
 icmp_types = "{ echoreq, unreach }"

 set skip on lo

 set loginterface $ext_if

 # Normalization
 scrub in all random-id fragment reassemble no-df

 # NAT OpenVPN clients
 nat on $ext_if inet from $openvpn_clients to any -> $ext_if

 block return in log all
 block out all

 antispoof quick for $ext_if

 # Block 'rapid-fire brute force attempts
 table <bruteforce> persist
 block quick from <bruteforce>

 # ftp-proxy needs to have an anchor
 anchor "ftp-proxy/*"

 # SSH is listening on port 22
 pass in quick proto tcp to $ext_if port 22 keep state (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush global)

 # ZNC
 pass proto tcp from $trusted_hosts to $ext_if port 5000

 # shadowsocks
 pass proto tcp from $trusted_hosts to $ext_if port 8388

 # OpenVPN
 pass in on $ext_if proto udp from any to $ext_if port $openvpn_udp
 pass in on $int_vpn from any to any

 # Allow essential outgoing traffic
 pass out quick on $ext_if proto tcp to any port $int_tcp_services
 pass out quick on $ext_if proto udp to any port $int_udp_services
 pass out quick on $ext_if inet proto icmp all icmp-type $icmp_types
	# vim: set ft=pf
	# /etc/pf.conf
	# Required order: options, queueing, translation and filtering.

	ext_if="vtnet0"

	# default openvpn settings for the client network
	openvpn_clients = "10.8.0.0/24"

	# put your tunnel interface here, it is usually tun0
	int_vpn = "tun0"

	# OpenVPN by default runs on udp port 1194
	openvpn_udp = "{ 1194 }"

	trusted_hosts = "{ 192.0.2.1, 203.0.113.254 }"

	int_tcp_services = "{ domain, ntp, smtp, www, https, ftp, 6697, 5222 }"
	int_udp_services = "{ domain, ntp }"
	icmp_types = "{ echoreq, unreach }"

	set skip on lo

	set loginterface $ext_if

	# Normalization
	scrub in all random-id fragment reassemble no-df

	# NAT OpenVPN clients
	nat on $ext_if inet from $openvpn_clients to any -> $ext_if

	block return in log all
	block out all

	antispoof quick for $ext_if

	# Block 'rapid-fire brute force attempts
	table <bruteforce> persist
	block quick from <bruteforce>

	# ftp-proxy needs to have an anchor
	anchor "ftp-proxy/*"

	# SSH is listening on port 22
	pass in quick proto tcp to $ext_if port 22 keep state (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush global)

	# ZNC
	pass proto tcp from $trusted_hosts to $ext_if port 5000

	# shadowsocks
	pass proto tcp from $trusted_hosts to $ext_if port 8388

	# OpenVPN
	pass in on $ext_if proto udp from any to $ext_if port $openvpn_udp
	pass in on $int_vpn from any to any

	# Allow essential outgoing traffic
	pass out quick on $ext_if proto tcp to any port $int_tcp_services
	pass out quick on $ext_if proto udp to any port $int_udp_services
	pass out quick on $ext_if inet proto icmp all icmp-type $icmp_types