########################################################
ext_if = "msk0"
int_if = "fxp0"
loop_if = "lo0"
int_net = "{ 172.16.0.0/16 }"
ssh_nets = "{ ×××××/32 }"
# 不被路由的地址
NoRoute = "{ 127.0.0.1/8, 192.168.0.0/16, 10.0.0.0/8, 255.255.255.255/32 }"
# 封端口
deny_tcpport = "{ 135,137,138,139,445,554,593,1024><1030,1068,1080,1214,1363,1364,1368,1373,1433,1434,2000,2283,2535,2745,3120><3130,3140,3318,4242,4444,5554,4662,4661,6880><6889,6969,7000,8880><8899,9898,10000,10080,12345,16881,17300,27347,65506 }"
deny_udpport= "{ 13000><14000 }"
# 限制有病毒的机器
table <badip> persist
#######################################################################
### 选项 ###
#######################################################################
# 快速断开非活动状态的连接 - 减少内存消耗
#须放在set timeout之前,否则会导致timeout不生效
set optimization aggressive
# DSL连接的统计数据(pfctl -s info)
set loginterface $ext_if
#block的默认规则是drop,不再返回任何回应数据包,节省资源
set block-policy drop
# IP碎片重组
scrub in all
#########################################################################
### NAT 和转发 ###
#######################################################################
# 激活NAT
nat on $ext_if from $int_net to any -> $ext_if
#######################################################################
### 过滤规则 ###
#######################################################################
# 先是总的原则:挡住所有进入的数据包,出去的不管
block in on $ext_if all
block in quick from <badip>
pass in quick on $int_if inet proto tcp from any to $int_if flags S/SA keep state \
(max 50000, source-track rule, max-src-nodes 1000,max-src-states 50 \
max-src-conn 50, max-src-conn-rate 15/3, overload <batip> flush global)
# Loopback
pass in quick on $loop_if all
pass out quick on $loop_if all
block in quick on $ext_if proto tcp all flags SF/SFRA
block in quick on $ext_if proto tcp all flags SFUP/SFRAU
block in quick on $ext_if proto tcp all flags FPU/SFRAUP
block in quick on $ext_if proto tcp all flags /SFRA
block in quick on $ext_if proto tcp all flags F/SFRA
block in quick on $ext_if proto tcp all flags U/SFRAU
# 封端口
block in quick on $ext_if inet proto tcp from any to any port $deny_tcpport
block in quick on $ext_if inet proto udp from any to any port $deny_udpport
# 防止IP欺骗
block in log quick on $ext_if inet from $NoRoute to any
# ssh
pass in quick on $ext_if inet proto tcp from $ssh_nets to any port 22 flags S/SA keep state
block in quick on $ext_if inet proto tcp from any to any port 22
pass out quick on $ext_if inet proto { tcp, udp, icmp } all keep state
###############