## Set public interface ## ext_if="vtnet0" ## set and drop IP ranges on the public interface ## martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \ 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \ 0.0.0.0/8, 240.0.0.0/4 }" table persist table persist # Allowed webmail services table persist file "/usr/local/etc/pf.webmail.ip.conf" ## Skip loop back interface - Skip all PF processing on interface ## set skip on lo ## Sets the interface for which PF should gather statistics such as bytes in/out and packets passed/blocked ## set loginterface $ext_if # Deal with attacks based on incorrect handling of packet fragments scrub in all # Pass spamd allow list pass quick log on $ext_if inet proto tcp from to $ext_if port smtp \ -> 127.0.0.1 port 25 # Pass webmail servers rdr pass quick log on $ext_if inet proto tcp from to $ext_if port smtp \ -> 127.0.0.1 port 25 # pass submission messages. pass quick log on $ext_if inet proto tcp from any to $ext_if port submission modulate state # Pass unknown mail to spamd rdr pass log on $ext_if inet proto tcp from {! } to $ext_if port smtp \ -> 127.0.0.1 port 8025 ## Blocking spoofed packets antispoof quick for $ext_if ## Set default policy ## block return in log all block out all # Drop all Non-Routable Addresses block drop in quick on $ext_if from $martians to any block drop out quick on $ext_if from any to $martians pass in inet proto tcp to $ext_if port ssh # Allow Ping-Pong stuff. Be a good sysadmin pass inet proto icmp icmp-type echoreq # Open up imap/pop3 support pass quick on $ext_if proto tcp from any to any port {imap, imaps, pop3, pop3s} modulate state # Allow outgoing traffic pass out on $ext_if proto tcp from any to any modulate state pass out on $ext_if proto udp from any to any keep state pass quick on $ext_if from any to any port http