set block-policy return
#set loginterface egress
# don't filter on the loopback interface
set skip on lo0
######################################################################
#match in log all scrub (no-df random-id reassemble tcp)
# NEED TO BE FIXED AS SOON AS POSSIBLE
#block $log_opt all
#block in quick from urpf-failed
# antispoof on external interfaces
antispoof $log_opt quick for { $ext_if1, $ext_if2 } inet
match in $log_opt all scrub (no-df random-id reassemble tcp)
match out $log_debug on $ext_if1 from $lan_server to any nat-to $nat_ip_server
match out $log_debug on $ext_if1 from $lan_user to any nat-to $nat_ip_user
match out $log_debug on $ext_if1 from $lan_guest to any nat-to $nat_ip_guest
match out $log_debug on $ext_if1 from $vpn_net to any nat-to $nat_ip_vpn
match out $log_debug on $ext_if2 from $lan_phone to any nat-to $nat_ip_phone
#pass out on $ext_if1 from $ext_if2 route-to ($ext_if2 $ext_gw2)
#pass out on $ext_if2 from $lan_phone route-to ($ext_if2 $ext_gw2)
# block our special friends from /etc/pf.blocked.ip.conf
block in quick $log_opt on { $ext_if1, $ext_if2 } from <blocked_ip> to any
# allow loopback connections
pass quick on lo0 all
# internal incomming traffic
pass in $log_debug on { $int_if, $vpn_if } from { $lan_server, $lan_user, $vpn_if } route-to ($ext_if1 $ext_gw1)
pass in $log_debug on $int_if from $lan_guest to { $lan_guest, ! ($int_if:network) } route-to ($ext_if1 $ext_gw1)
pass in quick $log_debug on $int_if from $lan_phone to { $lan_phone, ! ($int_if:network) } route-to ($ext_if2 $ext_gw2)
# external incomming traffic for specified services
pass in $log_opt on $ext_if1 inet proto tcp to { $nat_ip_server, $nat_ip_user, $nat_ip_vpn, $ext_ip1 } port $ext_tcp_servic
es
pass in $log_opt on $ext_if1 inet proto udp to { $nat_ip_server, $nat_ip_user, $nat_ip_vpn, $ext_ip1 } port $ext_udp_servic
es
pass in $log_opt on $ext_if2 inet proto tcp to { $nat_ip_phone, $ext_ip2 } port $sec_tcp_services
pass in $log_opt on $ext_if2 inet proto udp to { $nat_ip_phone, $ext_ip2 } port $sec_udp_services
# allow all outgoing connections
pass out $log_debug all keep state
# VPN connections inbound
pass $log_opt on $vpn_if
# icmp / traceroute
pass inet proto icmp icmp-type { echoreq, unreach }
# rules for internal mail server - to be deleted after migration!!
pass in on $ext_if1 proto tcp from any to $ext_if1 port http \
rdr-to $mail_server port http
# HTTPS is actually SMTP on mail.
pass in on $ext_if1 proto tcp from any to $ext_if1 port https \
rdr-to $mail_server port smtp
pass in on $ext_if1 proto tcp from any to $ext_if1 port smtp \
rdr-to $mail_server port smtp
pass in on $ext_if1 proto tcp from any to $ext_if1 port smtps \
rdr-to $mail_server port smtps
pass in on $ext_if1 proto tcp from any to $ext_if1 port imap \
rdr-to $mail_server port imap
pass in on $ext_if1 proto tcp from any to $ext_if1 port imaps \
rdr-to $mail_server port imaps
pass in on $ext_if1 proto tcp from any to $ext_if1 port pop3 \
rdr-to $mail_server port pop3
pass in on $ext_if1 proto tcp from any to $ext_if1 port pop3s \
rdr-to $mail_server port pop3s
pass in on $ext_if2 proto tcp from any to $ext_if2 port 80 \
rdr-to $sip_server port 80
pass in on $ext_if2 proto udp from any to $ext_if2 port 5060 \
rdr-to $sip_server port 5060
pass in on $ext_if2 proto udp from any to $ext_if2 port 16000:16015 \
rdr-to $sip_server port 16000:16015
pass in on $ext_if1 proto tcp from any to ($ext_if1) port $camera_port \
rdr-to $camera_server port $camera_port
# IPsec to second location
pass in $log_debug on $ext_if1 proto esp from $remote_gw to $ipsec_ip
pass out $log_debug on $ext_if1 proto esp from $ipsec_ip to $remote_gw
pass in $log_debug on $ext_if1 proto udp from $remote_gw to $ipsec_ip port {isakmp, ipsec-nat-t}
pass out $log_debug on $ext_if1 proto udp from $ipsec_ip to $remote_gw port {isakmp, ipsec-nat-t}
pass in $log_opt on enc0 from $remote_nets to $int_if:network keep state (if-bound)
pass out $log_opt on enc0 from $int_if:network to $remote_nets keep state (if-bound)