pf.conf

loopback    = lo0
ext_if      = re0
ext_ipv4    = 91.121.10.176
ext_ipv6    = 2001:41d0:1:5db0::1
ext_ip      = "{" $ext_ipv4 $ext_ipv6 "}"

table <pf_ssh_abuse> persist
table <pf_http_abuse> persist
table <fail2ban> persist
table <fail2ban_ssh> persist
table <fail2ban_www> persist
table <fail2ban_mail> persist

set optimization normal
set block-policy drop
set skip on $loopback

scrub in all random-id fragment reassemble

antispoof quick for $loopback

block in all
pass out all

block in quick on $ext_if from <fail2ban>

# ping
pass proto { icmp icmp6 }

# DNS
pass in on $ext_if proto {tcp, udp} from any to $ext_ip port domain

# SSH
pass  in on $ext_if proto tcp from any to $ext_ip port ssh # flags S/SA keep state (max-src-conn-rate 3/10, overload <pf_ssh_abuse> flush global)
block in on $ext_if proto tcp from { <pf_ssh_abuse> <fail2ban_ssh> } to port ssh

# www
pass  in on $ext_if proto tcp from any to $ext_ip port { http https } # flags S/SA keep state (max-src-conn 100, max-src-conn-rate 20/5, overload <pf_http_abuse> flush)
block in on $ext_if proto tcp from { <pf_http_abuse> <fail2ban_www> } to port { http https }

# mail
pass  in on $ext_if proto tcp from any to $ext_ip port { smtp smtps }
pass  in on $ext_if proto tcp from any to $ext_ip port { imap imaps }
#pass  in on $ext_if proto tcp from any to $ext_ip port { pop3 pop3s }
pass  in on $ext_if proto tcp from any to $ext_ip port sieve
block in on $ext_if proto tcp from <fail2ban_mail> to port { smtp smtps imap imaps pop3 pop3s sieve }