# Create blocks that are variable
ext_if="em0"
int_if="em1"
icmp_types="echoreq"
webports = "{http, https}"
sport = "{667 3306}"
# Skip all loopback traffic
set skip on lo
# Perform NAT on external interface
match out on $ext_if from $int_if:network to any nat-to $ext_if
# Define default behavior
block in
pass out keep state
# Allow inbound traffic on internal interface
pass quick on $int_if
# Protect against spoofing
antispoof quick for { lo $int_if }
# SSH is listening on port 22
pass in quick proto tcp to $ext_if port 22 keep state (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush global)
# Webserver
pass proto tcp from any to $ext_if port $webports
pass in quick log on $ext_if proto tcp to port $webports
pass in quick on $ext_if proto tcp to port $sport
