# fork.freebsd.cx
# pf.conf
# nick@dischord.org
# Last edited 09/08/2007 - nick

ext_if="fxp0"

fork="212.13.197.5"
services="212.13.197.6"
users="212.13.197.7"
dan="212.13.197.8"
twopoint="212.13.197.9"
ns2="212.13.197.10"
dischord="212.13.197.13"

# fork is *NOT* part of this table
table <jails> persist file "/etc/jails"

# Catch ssh brute-force attackers
table <bruteforce> persist

# Common stuff
tcp_ports="{ smtp, http, https }"
udp_ports="{ domain }"

set loginterface $ext_if
set optimization normal
set block-policy drop
set require-order yes
set fingerprints "/etc/pf.os"

set skip on lo

# Applicable to all
scrub in all
block in log all
block quick from <bruteforce>
pass out keep state

# Standard rules
pass in on $ext_if inet proto tcp from any to <jails> port $tcp_ports \
	flags S/SA keep state

# ssh specific stuff
pass in on $ext_if inet proto tcp from any to { $fork, <jails> } port ssh \
	flags S/SA keep state (max-src-conn 15, max-src-conn-rate 5/40, \
	overload <bruteforce> flush global)

# Stuff that should only be running on services
pass in on $ext_if inet proto tcp from any to $services \
	port { imap, imaps, pop3, pop3s } flags S/SA keep state

# DNS on services (resolver) and ns2 (authority)
pass in on $ext_if inet proto tcp from any to { $services, $ns2 } port domain \
	flags S/SA keep state
pass in on $ext_if inet proto udp from any to { $services, $ns2 } port domain

# irssiproxy running on dischord.org
pass in on $ext_if inet proto tcp from any to $dischord port 7020 \
	flags S/SA keep state

# bitlbee on services
pass in on $ext_if inet proto tcp from any to $services port 7667 \
	flags S/SA keep state

# ftp explicit to users
pass in on $ext_if inet proto tcp from any to $users port { ftp-data, ftp } \
	flags S/SA keep state
pass in on $ext_if inet proto tcp from any to $users port 15001:19999