device pf
device pflog
-------------------------
EXT_IF="de0"
INT_IF="de1"
RFC1918="{ 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
-------------------------
block drop quick on $EXT_IF from any to $RFC1918
-------------------------
table <rfc1918> const { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }
-------------------------
block drop quick on $EXT_IF from any to <rfc1918>
-------------------------
table <spamerzy> file "/etc/spamerzy.table"
-------------------------
pfctl -t spamerzy -T add 10.1.1.1
-------------------------
pfctl -t spamerzy -T delete 10.1.1.1
-------------------------
pfctl -t spamerzy -T show
-------------------------
set block-policy drop
-------------------------
set loginterface de0
-------------------------
set timeout interval 20
-------------------------
set limit states 20000
set limit frags 15000
-------------------------
set limit { states 20000, frags 15000 }
-------------------------
scrub out on de0 all random-id
-------------------------
scrub fragment reassemble
-------------------------
scrub in on de0 all fragment reassemble
-------------------------
action direction [log] [quick] on interfejs [rodzina_adresw] [proto protok] from adres_rdowy [port port_rdowy] to adres_docelowy [port port_docelowy] [znaczniki_tcp] [state]
-------------------------
block all
-------------------------
pass quick on lo0 all
-------------------------
antispoof quick for $INT_IF inet
-------------------------
block drop quick on $EXT_IF from any to <rfc1918>
-------------------------
pass in on $EXT_IF proto tcp from any to 192.168.1.20 port 80 modulate state flags S/SA
-------------------------
pass in on $EXT_IF proto tcp from any to 192.168.1.21 port { smtp, pop3, imap2, imaps } modulate state flags S/SA
-------------------------
pass in on $EXT_IF proto tcp from any to 192.168.1.18 port 53 modulate state flags S/SA
-------------------------
pass in on $EXT_IF proto udp from any to 192.168.1.18 port 53 keep state
-------------------------
pass in on $INT_IF from $INT_IF:network to any
pass out on $INT_IF from any to $INT_IF:network 
pass out on $EXT_IF proto tcp all modulate state flags S/SA
pass out on $EXT_IF proto { icmp, udp } all keep state
-------------------------
block in
pass in from any os "Linux"
-------------------------
# pfctl -e
# pfctl -f /etc/pf.conf
-------------------------
pf=YES
-------------------------
pf_enable="YES"
