path: root/usr/local/etc/pf.conf

## Set public interface ##
ext_if="vtnet0"

## set and drop IP ranges on the public interface ##
martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
	    10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
	    0.0.0.0/8, 240.0.0.0/4 }"

table <spamd> persist
table <spamd-allow> persist

# Allowed webmail services
#table <webmail> persist file "/usr/local/etc/pf.webmail.ip.conf"

## Skip loop back interface - Skip all PF processing on interface ##
set skip on lo

## Sets the interface for which PF should gather statistics such as bytes in/out and packets passed/blocked ##
set loginterface $ext_if

# Deal with attacks based on incorrect handling of packet fragments 
scrub in all


# Pass spamd allow list
rdr pass log on $ext_if inet proto tcp from <spamd-allow> to $ext_if port smtp \
	-> 127.0.0.1 port 25
# Pass webmail servers
rdr pass log on $ext_if inet proto tcp from <gmail> to $ext_if port smtp \
	-> 127.0.0.1 port 25
# pass submission messages.
pass quick log on $ext_if inet proto tcp from any to $ext_if port submission modulate state
# Pass unknown mail to spamd
rdr pass log on $ext_if inet proto tcp from {!<spamd-allow> <spamd>} to $ext_if port smtp \
	    -> 127.0.0.1 port 8025

## Blocking spoofed packets
antispoof quick for $ext_if

## Set default policy ##
block return in log all
block out all

# Drop all Non-Routable Addresses 
block drop in quick on $ext_if from $martians to any
block drop out quick on $ext_if from any to $martians

pass in inet proto tcp to $ext_if port ssh

# Allow Ping-Pong stuff. Be a good sysadmin 
pass inet proto icmp icmp-type echoreq

# Open up imap/pop3 support
pass quick on $ext_if proto tcp from any to any port {imap, imaps, pop3, pop3s} modulate state


# Allow outgoing traffic
pass out on $ext_if proto tcp from any to any modulate state
pass out on $ext_if proto udp from any to any keep state
#pass quick on $ext_if from any to any port http