/usr/local/data/banach/philpep.org/pub/solo/Files/etc/pf.conf.html

ext_if  = "vr0"
int_if  = "bridge0"
gif_if  = "gif0"

localnet    = $int_if:network:0
shen        = "{ 192.168.0.2, 2001:470:1f15:7bf:dead:c0de::2 }"       # laptop
aldo        = "{ 192.168.0.20, 2001:470:1f15:7bf:dead:c0de::20 }" # named
build       = "{ 192.168.0.21, 2001:470:1f15:7bf:dead:c0de::21 }"    # build ports
banach      = "{ 192.168.0.22, 2001:470:1f15:7bf:dead:c0de::22 }"   # varnishd / nginx
cantor      = "{ 192.168.0.23, 2001:470:1f15:7bf:dead:c0de::23 }"   # www python/ruby
gauss       = "{ 192.168.0.24, 2001:470:1f15:7bf:dead:c0de::24 }"    # www php
picard      = "{ 192.168.0.25, 2001:470:1f15:7bf:dead:c0de::25 }"   # mail
riemann     = "{ 192.168.0.26, 2001:470:1f15:7bf:dead:c0de::26 }"  # irc
fermat      = "{ 192.168.0.27, 2001:470:1f15:7bf:dead:c0de::27 }"   # git
camo        = "192.168.0.100"
gabon       = "192.168.0.101"
tun_end     = "216.66.84.46"
fbx_tv      = "212.27.38.253"

table <local> const { $localnet, !$int_if }

set block-policy return
set skip on { lo0 wlan0 vr1 vr2 }
set loginterface $ext_if
scrub in

nat on $ext_if from $localnet -> ($ext_if)

rdr pass on $ext_if proto tcp to port { imaps pop3s 587 smtp smtps }    -> $picard
rdr pass on $ext_if proto tcp to port { http https }                    -> $banach
rdr pass on $ext_if proto tcp to port { 9418 ssh }                      -> $fermat
rdr pass on $ext_if proto tcp to port { ircd 6697 }                     -> $riemann
rdr pass on $ext_if proto { tcp udp } to port domain                    -> $aldo

# BitTorrent
rdr pass on $ext_if proto { tcp udp } to port 51413 -> $shen
rdr pass on $ext_if proto { tcp udp } to port 51415 -> $gabon
rdr pass on $ext_if proto { tcp udp } to port 51416 -> $camo

# Freebox tv
rdr pass on $ext_if proto udp from $fbx_tv to port 31336 -> $shen
rdr pass on $ext_if proto udp from $fbx_tv to port 31330 -> $gabon
rdr pass on $ext_if proto udp from $fbx_tv to port 31332 -> $camo

block log all
pass inet proto icmp all icmp-type { echoreq unreach }
pass inet6 proto icmp6 all icmp6-type { echoreq unreach timex toobig neighbrsol neighbradv }
pass out proto { tcp udp } all

pass in on $int_if proto { tcp udp } from $localnet to !$int_if:0

pass in on $int_if proto udp to port { dhcpc dhcps domain ntp }
pass in on $int_if proto tcp to port { ssh 667 }
pass in on $int_if proto { tcp udp } to port ipp

# tunelbroker
pass out on $ext_if from ($ext_if) to $tun_end
pass in on $gif_if inet6 proto { tcp udp icmp6 } to <local>

antispoof for { $ext_if, $int_if }