### screened.pf.conf -- firewall script for bastion host using pf(4)
### template by sp1r1t

#################################################
# macro definitions - adapt these to your needs #
#################################################

### interface on this box 
my_if = "rl0"

### adress assigned to the inteface
my_ad = "192.168.0.10"



###########
# options #
###########

# rules in this file should be in standard pf order
set require-order yes

### silently drop packets we don't want, don't even
### tell the sender they were blocked
set block-policy drop

### let pf(4) optimize the rules for speed
set optimization normal

### we don't want a log-only interface
set loginterface none



#################################
# packet normalisation via scrub#
#################################

### we want packets to be clean
scrub in all

### this is also true for outgoing ones
scrub out all 



##########################
# packet filtering rules #
##########################

### block all inbound connections and log them
block in log all

### remove comments before the following rule to allow inbound ssh connections
# pass in quick on $my_if inet proto tcp from ($my_if) to ($my_if) port 22 \
#  flags S/SA synproxy state 

### allow the host to initiate outbound connections
pass out on $my_if inet from ($my_if) to any flags S/SA keep state
pass out on $my_if inet proto tcp from ($my_if) to any flags S/SA synproxy state

### we do not like spoofed packets
antispoof for $my_if