#ext_if macro + block by defaultext_if = "vtnet0"scrub in allblock in on $

1. #ext_if macro + block by default
2. ext_if = "vtnet0"
3. scrub in all
4. block in on $ext_if
5.  
6. #block known bad hosts table
7. table <private> const { 10/8, 172.16/12, 192.168/16 }
8. table <badhosts> persist
9. block on $ext_if from { <private>, <badhosts> } to any
10.  
11. #allow icmp in and out
12. pass in inet proto icmp all
13. pass out inet proto icmp all
14.  
15. #allow SSH from known admins
16. table <admins> persist file "/usr/local/tyler/admins.pf"
17. pass in on $ext_if proto tcp from <admins> to $ext_if port 22
18.  
19. #HTTP (80) and HTTPS (443) to the world
20. pass in on $ext_if proto tcp from any to $ext_if port 80
21. pass in on $ext_if proto tcp from any to $ext_if port 443
22.  
23. #allow outgoing traffic
24. pass out on $ext_if proto { tcp, udp } all