set limit tables 3000
set limit table-entries 1200000
set optimization normal
set timeout { adaptive.start 0, adaptive.end 0 }
set limit states 4096
set limit src-nodes 4096

#System aliases
  
loopback = "{ lo0 }"
WAN = "{ xl0 }"
LAN = "{ xl1 }"
OpenVPN = "{ openvpn }"

#SSH Lockout Table
table <sshlockout> persist
table <webConfiguratorlockout> persist
#Snort tables
table <snort2c>
table <virusprot>
table <bogons> persist file "/etc/bogons"
table <bogonsv6> persist file "/etc/bogonsv6"
table <vpn_networks> { 192.168.2.0/24 }
table <negate_networks> { 192.168.2.0/24 }

# User Aliases 
table <pfBlockerEurope> persist file "/var/db/aliastables/pfBlockerEurope.txt"
pfBlockerEurope = "<pfBlockerEurope>"
table <pfBlockerBluetackLevel1> persist file "/var/db/aliastables/pfBlockerBluetackLevel1.txt"
pfBlockerBluetackLevel1 = "<pfBlockerBluetackLevel1>"
table <pfBlockerBluetackExclusions> persist file "/var/db/aliastables/pfBlockerBluetackExclusions.txt"
pfBlockerBluetackExclusions = "<pfBlockerBluetackExclusions>"
table <pfBlockerBluetackSpiders> persist file "/var/db/aliastables/pfBlockerBluetackSpiders.txt"
pfBlockerBluetackSpiders = "<pfBlockerBluetackSpiders>"
table <pfBlockerBluetackSpyware> persist file "/var/db/aliastables/pfBlockerBluetackSpyware.txt"
pfBlockerBluetackSpyware = "<pfBlockerBluetackSpyware>"
table <pfBlockerBluetackAdPorn> persist file "/var/db/aliastables/pfBlockerBluetackAdPorn.txt"
pfBlockerBluetackAdPorn = "<pfBlockerBluetackAdPorn>"
table <pfBlockerDshieldBlockLists> persist file "/var/db/aliastables/pfBlockerDshieldBlockLists.txt"
pfBlockerDshieldBlockLists = "<pfBlockerDshieldBlockLists>"
table <AllowList> persist
AllowList = "<AllowList>"
table <Belkin_AP> {   192.168.1.3 } 
Belkin_AP = "<Belkin_AP>"
table <BitTorrent_Host_IP> {   192.168.1.25 } 
BitTorrent_Host_IP = "<BitTorrent_Host_IP>"
BitTorrent_Port = "{   2020 }"
BitTorrent_WebUI_Port = "{   8080 }"
Client_Setup_Port = "{   2023 }"
table <Clients_Setup_Access_List> persist
Clients_Setup_Access_List = "<Clients_Setup_Access_List>"
table <Clients_Setup_HTTP_Host_IP> {   192.168.1.27 } 
Clients_Setup_HTTP_Host_IP = "<Clients_Setup_HTTP_Host_IP>"
table <Clients_WSUS_Access_List> persist
Clients_WSUS_Access_List = "<Clients_WSUS_Access_List>"
table <Clients_WSUS_HTTP_Host_IP> {   192.168.1.27 } 
Clients_WSUS_HTTP_Host_IP = "<Clients_WSUS_HTTP_Host_IP>"
Clients_WSUS_HTTP_Port = "{   2022 }"
CrashPlan_Port = "{   4242 }"
DHCP_Ports = "{   67:68 }"
table <ESXi> {   192.168.1.10 } 
ESXi = "<ESXi>"
table <FTP_Host_IP> {   192.168.1.26 } 
FTP_Host_IP = "<FTP_Host_IP>"
FTP_Ports = "{   2121  990  2009:2019 }"
table <GmailSMTP> persist
GmailSMTP = "<GmailSMTP>"
table <GoogleVoice> persist
GoogleVoice = "<GoogleVoice>"
table <MediaCenter> {   192.168.1.51 } 
MediaCenter = "<MediaCenter>"
NetBIOS = "{   135  137:139  445 }"
table <OpenVPN_Subnet> {   192.168.2.0/24 } 
OpenVPN_Subnet = "<OpenVPN_Subnet>"
p2p_Generic_Port = "{   2021 }"
table <pfSense> {   192.168.1.1 } 
pfSense = "<pfSense>"
PlexMS_Port = "{   32400 }"
table <PrivateIPv4> {   10.0.0.0/8  172.16.0.0/12  192.168.0.0/16 } 
PrivateIPv4 = "<PrivateIPv4>"
table <Server> {   192.168.1.5 } 
Server = "<Server>"
table <VoIP> {   192.168.1.4 } 
VoIP = "<VoIP>"
table <VonageSubnets> {   64.192.11.0/24  74.116.144.0/21  216.115.16.0/20  69.59.224.0/19 } 
VonageSubnets = "<VonageSubnets>"
table <Workstation> {   192.168.1.50 } 
Workstation = "<Workstation>"
 
# Gateways
GWWanStaticGw = " route-to ( xl0 1.2.3.6 ) "

 
set loginterface xl1

set skip on pfsync0

scrub on $WAN all no-df   fragment reassemble
scrub on $LAN all no-df   fragment reassemble

 altq on  xl0 priq bandwidth 1436Kb queue {  qCritical,  qVoIP,  qHigh,  qMedium,  qMedLow,  qLow,  qHigh_NoECN,  qCritical_NoECN,  qLow_NoECN  } 
 queue qCritical on xl0 priority 15 priq (  ecn  )  
 queue qVoIP on xl0 priority 13 
 queue qHigh on xl0 priority 10 priq (  ecn  )  
 queue qMedium on xl0 priority 7 priq (  ecn  )  
 queue qMedLow on xl0 priority 4 priq (  ecn  )  
 queue qLow on xl0 priority 2 priq (  ecn  , default  )  
 queue qHigh_NoECN on xl0 priority 11 
 queue qCritical_NoECN on xl0 priority 14 
 queue qLow_NoECN on xl0 priority 1 
 
 altq on  xl1 priq bandwidth 100Mb queue {  qDefaultDown  } 
 queue qDefaultDown on xl1 priority 15 priq (  default  )  
 

no nat proto carp
no rdr proto carp
nat-anchor "natearly/*"
nat-anchor "natrules/*"


# Outbound NAT rules

# Subnets to NAT 
tonatsubnets	= "{ 192.168.1.0/24 192.168.2.0/24 127.0.0.0/8 0.0.0.0  }"
nat on $WAN  from $tonatsubnets port 500 to any port 500 -> 1.2.3.4/32 port 500  
nat on $WAN  from $tonatsubnets to any -> 1.2.3.4/32 port 1024:65535  


# Load balancing anchor
rdr-anchor "relayd/*"
# TFTP proxy
rdr-anchor "tftp-proxy/*"
# NAT Inbound Redirects
rdr on xl0 proto tcp from any to 1.2.3.4 port $FTP_Ports -> $FTP_Host_IP
rdr on xl0 proto tcp from $Clients_WSUS_Access_List to 1.2.3.4 port $Clients_WSUS_HTTP_Port -> $Clients_WSUS_HTTP_Host_IP
rdr on xl0 proto tcp from $Clients_Setup_Access_List to 1.2.3.4 port $Client_Setup_Port -> $Clients_Setup_HTTP_Host_IP
rdr on xl1 proto { tcp udp } from $Belkin_AP to 208.184.49.9 port 123 -> $pfSense
rdr on xl0 proto tcp from any to 1.2.3.4 port $BitTorrent_WebUI_Port -> $BitTorrent_Host_IP
rdr on xl0 proto { tcp udp } from any to 1.2.3.4 port $BitTorrent_Port -> $BitTorrent_Host_IP
rdr on xl0 proto { tcp udp } from any to 1.2.3.4 port $p2p_Generic_Port -> $Server
rdr on xl0 proto { tcp udp } from any to 1.2.3.4 port $PlexMS_Port -> $MediaCenter
# UPnPd rdr anchor
rdr-anchor "miniupnpd"

anchor "relayd/*"
anchor "openvpn/*"
anchor "ipsec/*"
#---------------------------------------------------------------------------
# default deny rules
#---------------------------------------------------------------------------
block in  inet all label "Default deny rule IPv4"
block out  inet all label "Default deny rule IPv4"
block in  inet6 all label "Default deny rule IPv6"
block out  inet6 all label "Default deny rule IPv6"

# IPv6 ICMP is not auxilary, it is required for operation
# See man icmp6(4)
# 1    unreach         Destination unreachable
# 2    toobig          Packet too big
# 128  echoreq         Echo service request
# 129  echorep         Echo service reply
# 133  routersol       Router solicitation
# 134  routeradv       Router advertisement
# 135  neighbrsol      Neighbor solicitation
# 136  neighbradv      Neighbor advertisement
pass quick inet6 proto ipv6-icmp from any to any icmp6-type {1,2,135,136} keep state

# Allow only bare essential icmpv6 packets (NS, NA, and RA, echoreq, echorep)
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {129,133,134,135,136} keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {129,133,134,135,136} keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {128,133,134,135,136} keep state
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type {128,133,134,135,136} keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {128,133,134,135,136} keep state

# We use the mighty pf, we cannot be fooled.
block quick inet proto { tcp, udp } from any port = 0 to any
block quick inet proto { tcp, udp } from any to any port = 0
block quick inet6 proto { tcp, udp } from any port = 0 to any
block quick inet6 proto { tcp, udp } from any to any port = 0


# Snort package
block quick from <snort2c> to any label "Block snort2c hosts"
block quick from any to <snort2c> label "Block snort2c hosts"


# SSH lockout
block in log quick proto tcp from <sshlockout> to any port 22 label "sshlockout"

# webConfigurator lockout
block in log quick proto tcp from <webConfiguratorlockout> to any port 80 label "webConfiguratorlockout"
block in quick from <virusprot> to any label "virusprot overload table"
antispoof for xl0
antispoof for xl1
# allow access to DHCP server on LAN
pass in quick on $LAN proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server"
pass in quick on $LAN proto udp from any port = 68 to 192.168.1.1 port = 67 label "allow access to DHCP server"
pass out quick on $LAN proto udp from 192.168.1.1 port = 67 to any port = 68 label "allow access to DHCP server"

# loopback
pass in on $loopback inet all label "pass IPv4 loopback"
pass out on $loopback inet all label "pass IPv4 loopback"
pass in on $loopback inet6 all label "pass IPv6 loopback"
pass out on $loopback inet6 all label "pass IPv6 loopback"
# let out anything from the firewall host itself and decrypted IPsec traffic
pass out inet all keep state allow-opts label "let out anything IPv4 from firewall host itself"
pass out inet6 all keep state allow-opts label "let out anything IPv6 from firewall host itself"
pass out route-to ( xl0 1.2.3.6 ) from 1.2.3.4 to !1.2.3.0/23 keep state allow-opts label "let out anything from firewall host itself"

# User-defined rules follow

anchor "userrules/*"
match inet proto udp  from any to any  queue (qLow_NoECN)  label "USER_RULE: Any UDP Traffic -> Low No ECN Default"
match  proto udp  from $GoogleVoice to any  queue (qVoIP)  label "USER_RULE: Google Voice -> VoIP"
match  proto udp  from any to $GoogleVoice  queue (qVoIP)  label "USER_RULE: Google Voice -> VoIP"
match  proto udp  from $VonageSubnets to any  queue (qVoIP)  label "USER_RULE: Vonage ARIN Registered Subnets -> VoIP"
match  proto udp  from any to $VonageSubnets  queue (qVoIP)  label "USER_RULE: Vonage ARIN Registered Subnets -> VoIP"
match  proto { tcp udp }  from $VoIP to any  queue (qVoIP)  label "USER_RULE: VoIP Adapter -> VoIP"
match  proto { tcp udp }  from any to $VoIP  queue (qVoIP)  label "USER_RULE: VoIP Adapter -> VoIP"
match  on {  xl0  } inet proto udp  from any to any port 1194  queue (qHigh_NoECN)  label "USER_RULE: OpenVPN -> High"
match  on {  xl0  }  proto tcp  from any to any port 993 flags S/SA  queue (qHigh,qCritical)  label "USER_RULE: IMAP SSL -> High"
match  on {  xl0  }  proto tcp  from any to any port 587 flags S/SA  queue (qHigh,qCritical)  label "USER_RULE: SMTP TLS -> High"
match  on {  xl0  } inet proto udp  from any to any port 500  queue (qHigh_NoECN)  label "USER_RULE: ISAKMP (IPsec SA) -> High"
match  on {  xl0  }  proto tcp  from any to any port 465 flags S/SA  queue (qHigh,qCritical)  label "USER_RULE: SMTP SSL -> High"
match  on {  xl0  }  proto tcp  from any to any port 443 flags S/SA  queue (qHigh,qCritical)  label "USER_RULE: HTTPS -> High"
match  on {  xl0  }  proto tcp  from any to any port 143 flags S/SA  queue (qHigh,qCritical)  label "USER_RULE: IMAP -> High"
match  on {  xl0  } inet proto udp  from any to any port 123  queue (qHigh_NoECN,qCritical_NoECN)  label "USER_RULE: NTP -> High"
match  on {  xl0  }  proto tcp  from any to any port 80 flags S/SA  queue (qHigh,qCritical)  label "USER_RULE: HTTP -> High"
match  on {  xl0  } inet proto tcp  from any to any port 53 flags S/SA  queue (qHigh,qCritical)  label "USER_RULE: DNS TCP -> High"
match  on {  xl0  } inet proto udp  from any to any port 53  queue (qHigh_NoECN,qCritical_NoECN)  label "USER_RULE: DNS UDP -> High"
match  on {  xl0  }  proto tcp  from any to any port 25 flags S/SA  queue (qHigh,qCritical)  label "USER_RULE: SMTP -> High"
match  on {  xl0  }  proto tcp  from any to any port 23 flags S/SA  queue (qHigh,qCritical)  label "USER_RULE: Telnet -> High"
match  on {  xl0  }  proto tcp  from any to any port 22 flags S/SA  queue (qHigh,qCritical)  label "USER_RULE: SSH -> High"
match  on {  xl0  }  proto tcp  from any to any port 21 flags S/SA  queue (qHigh,qCritical)  label "USER_RULE: FTP -> High"
match inet proto tcp  from any to any port $CrashPlan_Port  dscp af11 flags S/SA  queue (qMedLow)  label "USER_RULE: CrashPlan to Friends - AF11 (DSCP 10) -> Medium Low"
match inet proto tcp  from any to any port 443  dscp af11 flags S/SA  queue (qMedLow)  label "USER_RULE: CrashPlan - AF11 (DSCP 10) -> Medium Low"
match  on {  xl0  }  proto gre  from any to any  queue (qHigh)  label "USER_RULE: Generic Route Encapsulation -> High"
match  on {  xl0  }  proto ah  from any to any  queue (qHigh)  label "USER_RULE: Authentication Header -> High"
match  on {  xl0  }  proto esp  from any to any  queue (qHigh)  label "USER_RULE: Encapsulating Security Payload -> High"
match inet proto tcp  from $BitTorrent_Host_IP to any flags S/SA  queue (qLow)  label "USER_RULE: BitTorrent Server -> Low"
match inet proto udp  from $BitTorrent_Host_IP to any  queue (qLow_NoECN)  label "USER_RULE: BitTorrent Server -> Low"
match inet proto tcp  from any to $BitTorrent_Host_IP flags S/SA  queue (qLow)  label "USER_RULE: BitTorrent Server -> Low"
match inet proto udp  from any to $BitTorrent_Host_IP  queue (qLow_NoECN)  label "USER_RULE: BitTorrent Server -> Low"
match  proto tcp  from $BitTorrent_Host_IP port $BitTorrent_WebUI_Port to any flags S/SA  queue (qHigh)  label "USER_RULE: BitTorrent Client WebUI -> High"
match  proto tcp  from any to $BitTorrent_Host_IP port $BitTorrent_WebUI_Port flags S/SA  queue (qHigh)  label "USER_RULE: BitTorrent Client WebUI -> High"
match inet proto { tcp udp }  from $MediaCenter port $PlexMS_Port to any  queue (qHigh)  label "USER_RULE: Plex Media Server -> High"
match inet proto { tcp udp }  from any to $MediaCenter port $PlexMS_Port  queue (qHigh)  label "USER_RULE: Plex Media Server -> High"
match  proto { tcp udp }  from $FTP_Host_IP to any  queue (qMedium)  label "USER_RULE: FTP Server -> Medium"
match  proto { tcp udp }  from any to $FTP_Host_IP  queue (qMedium)  label "USER_RULE: FTP Server -> Medium"
match inet proto tcp  from $Clients_Setup_HTTP_Host_IP port $Client_Setup_Port to any flags S/SA  queue (qMedium)  label "USER_RULE: Clients Setup HTTP Server -> Medium"
match inet proto tcp  from any to $Clients_Setup_HTTP_Host_IP port $Client_Setup_Port flags S/SA  queue (qMedium)  label "USER_RULE: Clients Setup HTTP Server -> Medium"
match inet proto tcp  from $Clients_WSUS_HTTP_Host_IP port $Clients_WSUS_HTTP_Port to any flags S/SA  queue (qHigh)  label "USER_RULE: Client WSUS HTTP Server -> High"
match inet proto tcp  from any to $Clients_WSUS_HTTP_Host_IP port $Clients_WSUS_HTTP_Port flags S/SA  queue (qHigh)  label "USER_RULE: Client WSUS HTTP Server -> High"
match  on {  xl0  } inet proto icmp  from any to any  queue (qCritical_NoECN)  label "USER_RULE: ICMP Packets -> Critical"
pass  in  quick  on $OpenVPN  from $OpenVPN_Subnet to 192.168.1.0/24  label "USER_RULE: Allow OpenVPN Clients to LAN"
block  in  quick  on $WAN reply-to ( xl0 1.2.3.6 ) inet from $pfBlockerDshieldBlockLists to any  label "USER_RULE: Apply Dshield Blocklist to All Traffic"
block  in  quick  on $WAN reply-to ( xl0 1.2.3.6 ) inet from $pfBlockerBluetackLevel1 to $BitTorrent_Host_IP  label "USER_RULE: Apply Blocklist to BitTorrent Traffic"
block  in  quick  on $WAN reply-to ( xl0 1.2.3.6 ) inet from $pfBlockerBluetackSpiders to $BitTorrent_Host_IP  label "USER_RULE: Apply Blocklist to BitTorrent Traffic"
block  in  quick  on $WAN reply-to ( xl0 1.2.3.6 ) inet from $pfBlockerBluetackSpyware to $BitTorrent_Host_IP  label "USER_RULE: Apply Blocklist to BitTorrent Traffic"
block  in  quick  on $WAN reply-to ( xl0 1.2.3.6 ) inet from $pfBlockerBluetackAdPorn to $BitTorrent_Host_IP  label "USER_RULE: Apply Blocklist to BitTorrent Traffic"
pass  in  quick  on $WAN reply-to ( xl0 1.2.3.6 )  proto icmp  from any to any  label "USER_RULE: Allow ICMP"
pass  in  quick  on $WAN reply-to ( xl0 1.2.3.6 ) inet proto udp  from any to any port 1194  label "USER_RULE: Allow OpenVPN"
pass  in  quick  on $WAN reply-to ( xl0 1.2.3.6 )  proto tcp  from any to $FTP_Host_IP port $FTP_Ports flags S/SA keep state  label "USER_RULE: NAT FTP Server"
pass  in  quick  on $WAN reply-to ( xl0 1.2.3.6 )  proto tcp  from $Clients_WSUS_Access_List to $Clients_WSUS_HTTP_Host_IP port $Clients_WSUS_HTTP_Port flags S/SA keep state  label "USER_RULE: NAT Client WSUS HTTP Server"
pass  in  quick  on $WAN reply-to ( xl0 1.2.3.6 )  proto tcp  from $Clients_Setup_Access_List to $Clients_Setup_HTTP_Host_IP port $Client_Setup_Port flags S/SA keep state  label "USER_RULE: NAT Client Setup HTTP Server"
pass  in  quick  on $WAN reply-to ( xl0 1.2.3.6 )  proto tcp  from any to $BitTorrent_Host_IP port $BitTorrent_WebUI_Port flags S/SA keep state  label "USER_RULE: NAT BitTorrent Client WebUI"
pass  in  quick  on $WAN reply-to ( xl0 1.2.3.6 ) inet proto { tcp udp }  from any to $BitTorrent_Host_IP port $BitTorrent_Port  label "USER_RULE: NAT BitTorrent Client"
pass  in  quick  on $WAN reply-to ( xl0 1.2.3.6 )  proto { tcp udp }  from any to $Server port $p2p_Generic_Port  label "USER_RULE: NAT Limewire / eMule / old school P2P Clients"
pass  in  quick  on $WAN reply-to ( xl0 1.2.3.6 )  proto { tcp udp }  from any to $MediaCenter port $PlexMS_Port  label "USER_RULE: NAT Plex Media Server"
block return  in  quick  on $LAN  proto { tcp udp }  from any to ! $PrivateIPv4 port $NetBIOS  label "USER_RULE: Reject Internet Bound NetBIOS"
block return  in  quick  on $LAN inet from $pfBlockerDshieldBlockLists to any  label "USER_RULE: Apply Dshield Blocklist to All Traffic"
block return  in  quick  on $LAN inet from $BitTorrent_Host_IP to $pfBlockerBluetackLevel1  label "USER_RULE: Apply Blocklist to BitTorrent Traffic"
block return  in  quick  on $LAN inet from $BitTorrent_Host_IP to $pfBlockerBluetackSpiders  label "USER_RULE: Apply Blocklist to BitTorrent Traffic"
block return  in  quick  on $LAN inet from $BitTorrent_Host_IP to $pfBlockerBluetackSpyware  label "USER_RULE: Apply Blocklist to BitTorrent Traffic"
block return  in  quick  on $LAN inet from $BitTorrent_Host_IP to $pfBlockerBluetackAdPorn  label "USER_RULE: Apply Blocklist to BitTorrent Traffic"
pass  in  quick  on $LAN inet from $BitTorrent_Host_IP to ! $PrivateIPv4  label "USER_RULE: Session Limit BitTorrent Internet Traffic"
pass  in  quick  on $LAN inet from 192.168.1.0/24 to $PrivateIPv4  label "USER_RULE: LAN to any Private IPv4 - No Session Limit"
pass  in  quick  on $LAN inet from 192.168.1.0/24 to ! $PrivateIPv4  label "USER_RULE: Session Limit Internet Traffic"

# VPN Rules
anchor "tftp-proxy/*"

