halp

pf.conf

ext_if      = re0
loopback    = lo0
jail_if     = lo1
jail_mail   = 127.0.0.2

ssh_port    = 4222
icmp_types  = "echoreq"

table <bans> persist

set optimization normal
set block-policy drop
set skip on { $loopback, $jail_if }

scrub in all random-id fragment reassemble

nat on $ext_if from $jail_mail -> ($ext_if)

rdr on $ext_if proto tcp from any to any port { smtp, smtps, imap, imaps, pop3, pop3s } -> $jail_mail

antispoof quick for { $loopback, $jail_if }

block in all
pass out all

block in quick on $ext_if from { <bans> }

pass in inet  proto icmp  all icmp-type $icmp_types keep state
pass in inet6 proto icmp6 keep state

pass in log on $ext_if proto tcp from any to $ext_if port $ssh_port # flags S/SA keep state (max-src-conn 10, max-src-conn-rate 20/60, overload <bans> flush global)

pass in on $ext_if proto {tcp, udp} from any to $ext_if port domain
pass in on $ext_if proto tcp from any to $ext_if port { ftp, ftp-data }
pass in on $ext_if proto tcp from any to $ext_if port { 10000:10100 }
pass in on $ext_if proto tcp from any to $ext_if port { http, https }
pass in on $ext_if proto tcp from any to $ext_if port { smtp, smtps, imap, imaps, pop3, pop3s }