EXT_IF="sis0"
INT_IF="rl0"
TUN_IF="tun0"

TUN_IP="172.23.254.6"
INT_IP="192.168.100.4"

DNS="127.0.0.1"

set loginterface $TUN_IF
set block-policy drop

scrub in all

# mail
rdr on $TUN_IF proto tcp from <smtpforce> to $TUN_IP port 25 -> 127.0.0.1 port 8025
rdr on $TUN_IF proto tcp from <spamd> to $TUN_IP port 25 -> 127.0.0.1 port 8025
rdr on $TUN_IF proto tcp from !<spamd> to $TUN_IP port 25 -> 127.0.0.1 port 25

# dns
# skip request from src port 25345 - isc.org ddos attack
no rdr on $TUN_IF proto udp from any port 25345 to $TUN_IP port 53
#
rdr on $TUN_IF proto { tcp, udp } from any to $TUN_IP port 53 -> $DNS
rdr on $TUN_IF proto tcp from any to $TUN_IP port 953 -> $DNS

# http
rdr on $TUN_IF proto tcp from any to $TUN_IP port 80 -> 127.0.0.1 port 80

# https
rdr on $TUN_IF proto tcp from any to $TUN_IP port 443 -> 127.0.0.1 port 443

# nat jails
nat on $EXT_IF from 172.23.1.0/24 to any -> $INT_IP
nat on $TUN_IF from any to any -> $TUN_IP

#
antispoof for $EXT_IF
antispoof for $INT_IF

#
table <bruteforce> persist
table <webscan> persist
table <spamd> persist
table <smtpforce> persist
table <spamd-white> persist

### Filtering
#
block all

# block junks
block quick from <bruteforce>
block quick from <webscan>

# Let all loopback traffic through
pass quick on lo0
# local ssh
pass in on $EXT_IF proto tcp from any to 192.168.100.0/24 port 22

# Allow connections from this server
pass out on $EXT_IF proto { tcp, udp, icmp } from $EXT_IF:network to any keep state

#
pass out on $TUN_IF proto icmp

# Allow icmp echo requests
pass in inet proto icmp all icmp-type echoreq
pass in on $TUN_IF reply-to { ( $TUN_IF 172.23.254.1 ) } proto icmp from any to $TUN_IP icmp-type echoreq

# smtp - routed via tun interface
pass in on $TUN_IF reply-to { ( $TUN_IF 172.23.254.1 ) } proto tcp from any to 127.0.0.1 port 25 \
	flags S/SA keep state \
	(max-src-conn 9, max-src-conn-rate 9/60, \
	overload <smtpforce> flush global)

pass in on $TUN_IF reply-to { ( $TUN_IF 172.23.254.1 ) } proto tcp from any to 127.0.0.1 port 8025

# ssh - routed via tun interface
pass in on $TUN_IF reply-to { ( $TUN_IF 172.23.254.1 ) } proto tcp from any to $TUN_IP port ssh \
        flags S/SA keep state \
        (max-src-conn 3, max-src-conn-rate 3/45, \
        overload <bruteforce> flush global)

# dns - routed via tun interface
pass in on $TUN_IF reply-to { ( $TUN_IF 172.23.254.1 ) } proto { tcp, udp } from any to $DNS port 53 keep state
pass in on $TUN_IF reply-to { ( $TUN_IF 172.23.254.1 ) } proto tcp from any to $DNS port 953 keep state

# http - routed via tun interface
pass in on $TUN_IF reply-to { ( $TUN_IF 172.23.254.1 ) } proto tcp from any to 127.0.0.1 port 80 \
	flags S/SA keep state \
	(max-src-conn-rate 100/10, \
	overload <webscan> flush global)

# https - routed via tun interface
pass in on $TUN_IF reply-to { ( $TUN_IF 172.23.254.1 ) } proto tcp from any to 127.0.0.1 port 443 \
	flags S/SA keep state \
	(max-src-conn-rate 100/10, \
	overload <webscan> flush global)