#################################################################
# vars

# logging interfaces - for reference only
#pflog0 - block
#pflog1 - pass in
#pflog2 - pass out
#pflog3 - pass in nginx (80, 443, 8080

# interfaces
ext_if="re0"
int_if="em0"
#wifi_if="tap0" # i think tap0 is being used for hermes VM right now
vpn_if="tun0" # change to tap1 when ready to change to bridging on vpn adapter

# static internal hosts
aries       ="127.0.0.1"
aries_int   ="192.168.0.1"
aries_wg    ="192.168.1.1"
cert        ="192.168.0.9"
hermes      ="192.168.0.11"
nextcloud   ="192.168.0.24"

# queues, states and types
icmp_ping="icmp-type 8 code 0"
ssh_queue="(ssh_bulk, ssh_login)"
syn_state="flags S/UAPRSF synproxy state"
tcp_state="flags S/UAPRSF modulate state"
udp_state="keep state"

# stateful tracking options - STO
open_sto="(max 90000, source-track rule, max-src-conn 1000, max-src-nodes 256)"
smtp_sto="(max   200, source-track rule, max-src-conn   10, max-src-nodes 256, max-src-conn-rate 200/30)"
ssh_sto ="(max   100, source-track rule, max-src-conn   10, max-src-nodes 100, max-src-conn-rate 100/30,  overload <BLOCKTEMP> flush global)"
web_sto ="(max  4096, source-track rule, max-src-conn   64, max-src-nodes 512, max-src-conn-rate 500/100, overload <BLOCKTEMP> flush global)"

# tables
table <mynet> const { 192.168.0.0/24 }
#table <inttrack> { 192.168.0.240 }
table <spammers> persist file "/etc/pf_spammers.table"

table <BLOCKTEMP> counters
table <BLOCKPERM> counters file "/etc/pf_block_permanent.table"
table <non_route> file "/etc/pf_non_route.table"
table <public_dns> file "/etc/pf_public_dns.table"
table <spamd-white> persist

#################################################################
# options

# misc
set skip on lo
set debug urgent
set block-policy drop
set loginterface $ext_if
set state-policy if-bound
set fingerprints "/etc/pf.os"
set ruleset-optimization none

# timeouts
set optimization normal
set timeout { tcp.closing 60, tcp.established 7200 }

# scrub is disabled because it scrambles RFC1323 time stamps
#scrub in all no-df random-id fragment reassemble
no scrub

#################################################################
# NAT and Redirection rules are first match

# static NAT for LAN. can also add for things like XBOX or PS4
#nat on $ext_if from $xbox to any -> ($ext_if) static-port
nat on $ext_if from $int_if:network to any -> ($ext_if)

# not sure if i need to NAT the openvpn network...
#nat on $vpn_if from $int_if:network to any -> ($vpn_if)

# my servers available publically
rdr on $ext_if inet proto   tcp       from !($ext_if)      to ($ext_if) port { 80 443 8080 }      -> $aries
rdr on $ext_if inet proto   udp       from !($ext_if)      to ($ext_if) port { 51820 }            -> $aries_wg
rdr on $ext_if inet proto   tcp       from !($ext_if)      to ($ext_if) port   993                -> $hermes
rdr on $ext_if inet proto { tcp udp } from !($ext_if)      to ($ext_if) port   10011              -> $aries
#rdr on $ext_if inet proto   tcp       from !($ext_if)      to ($ext_if) port   11371              -> $cert

# specific rules for smtp mail server and spamd
rdr on $ext_if inet proto   tcp       from !<spamd-white>  to ($ext_if)    port { 25 587 }           -> $hermes #port spamd
rdr on $ext_if inet proto   tcp       from  <spamd-white>  to ($ext_if)    port { 25 587 }           -> $hermes

# redirect public DNS servers to aries
rdr on $int_if inet proto { tcp udp } from $int_if:network to <public_dns> port   53                 -> $aries_int
#rdr on { $int_if $bridge_if $wifi_if } proto { tcp udp } from .... blah blah blah

# openvpn redirect
#rdr on $vpn_if inet                   from $vpn_if:network to any

# openvpn redirect. need to look at the 'rdr in' and 'rdr out' to see if i can simplify this
#rdr out on $vpn_if from $vpn_net to any
#rdr in on $vpn_if from any to any

# redirect DNS servers to aries. retyped above. want to test
#rdr pass on { $int_if $bridge_if $wifi_if } proto { tcp udp } from $lan_net to <pubdns> -> $aries_int

# anchors
rdr-anchor "miniupnp"

# deny rouge redirect
no rdr

#################################################################
# filtering

# block abusive hosts. quick rules
block drop in quick on $ext_if           from <non_route> to any
block drop in quick on $ext_if           from <BLOCKPERM> to any
block drop in quick on $ext_if proto tcp from <BLOCKTEMP> to any # port != ssh
block drop in quick on $ext_if proto udp from <BLOCKTEMP> to any

# default blocking rule
block drop in on $ext_if

# ext_if inbound
pass in log (all, to pflog0) on $ext_if inet proto tcp from !($ext_if)      to $aries     port { 80 443 8080 } $tcp_state $web_sto
pass in on $ext_if inet proto udp from !($ext_if)      to $aries_wg  port   51820         $udp_state $open_sto
pass in on $ext_if inet proto tcp from !($ext_if)      to $hermes    port   993           $tcp_state $open_sto
pass in on $ext_if inet proto tcp from !($ext_if)      to $aries     port   10011         $tcp_state $open_sto
pass in on $ext_if inet proto udp from !($ext_if)      to $aries     port   10011         $udp_state $open_sto
#pass in on $ext_if inet proto tcp from !($ext_if)      to $cert      port   11371         $tcp_state $open_sto

# ext_if inbound - specific rules for mail server and spamd
pass in on $ext_if inet proto tcp from !<spamd-white> to $hermes    port { 25 587 }    $tcp_state $open_sto
pass in on $ext_if inet proto tcp from  <spamd-white> to $hermes    port { 25 587 }    $tcp_state $open_sto

# ext_if outbound
pass out on $ext_if inet proto tcp  from ($ext_if) to !($ext_if) $tcp_state $open_sto
pass out on $ext_if inet proto udp  from ($ext_if) to !($ext_if) $udp_state $open_sto
pass out on $ext_if inet proto icmp from ($ext_if) to !($ext_if) $udp_state $open_sto

### WARNING: enabling these between rules will restrict OUTBOUND traffic! (default deny, then allow with next block)

# int_if default block with return (TCP reset)
#block return in on $int_if inet

# int_if inbound (retrict LAN machines to external clients)
#pass in on $int_if inet proto tcp  from $int_if:network to any         port { 80 443 } $tcp_state $open_sto
pass in on $int_if inet proto tcp  from $int_if:network to $aries_int  port   22       $tcp_state $open_sto
#pass in on $int_if inet proto tcp  from $int_if:network to $aries_int  port   53       $tcp_state $open_sto
#pass in on $int_if inet proto udp  from $int_if:network to $aries_int  port   53       $udp_state $open_sto
#pass in on $int_if inet proto udp  from $int_if:network to $aries_int  port   ntp      $udp_state $open_sto
#pass in on $int_if inet proto icmp from $int_if:network to any         $icmp_ping      $udp_state $open_sto

### WARNING: end

# int_if outbound
pass out on $int_if inet proto tcp  from $int_if to $int_if:network $tcp_state
pass out on $int_if inet proto udp  from $int_if to $int_if:network $udp_state
pass out on $int_if inet proto icmp from $int_if to $int_if:network $udp_state

##################################################
# openvpn rdr
##pass out on $vpn_if from $vpn_net to any
##pass in on $vpn_if from any to any

# vpn_if inbound - openvpn network
pass in on $vpn_if inet proto tcp  from $vpn_if:network to any $tcp_state $open_sto
pass in on $vpn_if inet proto udp  from $vpn_if:network to any $udp_state $open_sto
pass in on $vpn_if inet proto icmp from $vpn_if:network to any $udp_state $open_sto

# vpn_if outbound - openvpn network
pass out on $vpn_if inet proto tcp  from $vpn_if:network to any $tcp_state $open_sto
pass out on $vpn_if inet proto udp  from $vpn_if:network to any $udp_state $open_sto
pass out on $vpn_if inet proto icmp from $vpn_if:network to any $udp_state $open_sto

# anchors
anchor "miniupnpd"