/etc/pf.conf

# See pf.conf(5) and /etc/examples/pf.conf
## Configuration générale ##
http_ports = "{ www https }            # ports http(s)
mail_ports = "{ submission imaps }"    # ports mails 
tcp_pass = "{ domain }"                # ports tcp ouverts
udp_pass = "{ domain }"                # ports udp ouverts
set block-policy drop                  # bloque silencieusement
set skip on lo                         # Pas de filtre en local
set limit table-entries 400000   
set limit states 100000

## tables pour les vilains bruteforceurs
table <bruteforce> persist
table <vilain_bruteforce> persist

# antispam avec greylisting
table <nospamd> persist file "/etc/mail/nospamd"
table <spamd-white> persist
table <bgp-spamd-bypass> persist

# table blockzone
table <t_badips> persist file "/var/blockzones/badips_ipv4"
table <t_badips6> persist file "/var/blockzones/badips_ipv6"
table <t_bogons> persist file "/var/blockzones/bogons_ipv4"
table <t_bogons6> persist file "/var/blockzones/bogons_ipv6"

## Traitement des paquets ##
# Paquets partiels
match all scrub (max-mss 1440 no-df random-id reassemble tcp)
antispoof quick for egress         # Protection vol d'ip
antispoof quick for lo0            # Protection vol d'ip


# Pour relayd
anchor "relayd/*"

## Les règles pour pf ##
# on bloque tout par défaut 
# puis on continue de lire la suite
block 

# on bloque les ip blacklistées   pour de bon (quick)
# on ajoute un label pour se repérer dans les [logs :10-tips:logs]
block log quick from <bruteforce> label "brutes"
block log quick from <vilain_bruteforce>  label "vilain"

# blocage des blockzones
block log quick from { <t_bogons>, <t_bogons6> } label "bogons" 
block log quick from { <t_badips>, <t_badips6>} label "badips"

# NFS local
pass in quick on egress from 192.168.1.0/24

## Anti bruteforce
### SSH
#### Limit 15 connexions par IP source
#### Limit 15 tentatives de connexion toutes les 5 minutes
pass in on egress proto tcp to port ssh modulate state \
  (max-src-conn 15, max-src-conn-rate 15/5, overload <bruteforce> flush global)

# web, avec redirection vers relayd
pass in on egress proto tcp to port www divert-to 127.0.0.1 port 8080 modulate state \
    (max-src-conn 100, max-src-conn-rate 25/60, overload <bruteforce> flush global)
pass in on egress proto tcp to port https divert-to 120.0.0.1 port 8443 modulate state \
    (max-src-conn 100, max-src-conn-rate 25/60, overload <bruteforce> flush global)

# mails
## antispam
pass in on egress proto tcp to port $mail_ports modulate state \
  (max-src-conn-rate 10/5, overload <bruteforce> flush global) \
  divert-to 127.0.0.1 port spamd
pass in on egress proto tcp from <nospamd> to any port smtp
pass in log on egress proto tcp from <spamd-white> to any port smtp
pass in quick on egress proto tcp from <bgp-spamd-bypass> to port smtp
pass out log on egress proto tcp to any port smtp

# on autorise le ping
pass quick inet6 proto ipv6-icmp all 
pass quick inet proto icmp all 

# on ouvre les autres ports
pass in quick on egress proto tcp to port $tcp_pass modulate state
pass in quick on egress proto udp to port $udp_pass 

# tout ouvert en sortie
pass out on egress proto { tcp udp icmp icmp6 } all modulate state