iface = "re0"
# Taken from /etc/services
tcp_services = "{ ssh, domain, http, https }"
udp_services = "{ domain }"
reserved_addr = "{ 10.0.0.0/8, 172.16.0.0/12, \
                          192.168.0.0/16, 255.255.255.255/32 }"
icmp_types = "{ echoreq, unreach }"


set skip on lo
scrub in all

antispoof quick for $iface

block all

# Block incoming packets from reserved addresses
block in quick on $iface from $reserved_addr to any

table <ssh-bruteforce> persist
block quick from <ssh-bruteforce>
pass in inet proto tcp from any to $iface port ssh keep state \
        (max-src-conn 5, max-src-conn-rate 5/15, \
        overload <ssh-bruteforce> flush global)

# Allow ping
pass inet proto icmp all icmp-type $icmp_types keep state

# Allow traceroute
pass out on $iface inet proto udp from any to any port 33433 >< 33626 keep state

# Allow some outcoming packets
pass out inet proto tcp from $iface to any port $tcp_services keep state
pass out inet proto udp from $iface to any port $udp_services keep state