# Policy
set skip on lo
set block-policy return
anchor "ftp-proxy/*"
block quick inet6 all
block in quick from <brute>
block out quick to <brute>
block drop in quick on egress from <martians>
block drop out quick on egress to <martians>
antispoof quick for ingress
match in all scrub (max-mss 1440)

# Tables
table <martians> const { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
0.0.0.0/8, 240.0.0.0/4 } #non routable address blocks
table <brute> persist #table for brute force attempts, etc.
table <bgp-spamd-bypass> persist # table for spamd whitelisted addresses.

# Queues, priorities
queue egress on pppoe0 bandwidth 50M qlimit 10000
queue critical parent egress bandwidth 10M max 40M min 1M qlimit 2000
queue services parent egress bandwidth 10M max 40M qlimit 2000
queue other parent egress bandwidth 30M max 40M default qlimit 1000
queue bulk parent egress bandwidth 30M qlimit 200
match on egress proto { tcp, udp } to port { ssh, isakmp, l2tp, ipsec-nat-t, domain } set queue critical set prio 6
match on egress proto { ah, esp, gre, icmp } set queue critical set prio 6
match on egress proto tcp to port { smtp, www, https, submission, imaps } set queue services set prio 4
match on egress proto { tcp, udp } from kodi.shore.co.il port bittorrent set queue bulk set prio 1
match on egress proto { tcp, udp } to kodi.shore.co.il port bittorrent set queue bulk set prio 1

# Defaults
pass in quick proto tcp to (all:0) port ssh keep state (source-track rule, max 100, max-src-nodes 10, max-src-conn-rate 15/60, overload <brute> flush global)
match out on egress inet from (ingress:network) nat-to (egress)
block in all
pass out all
pass quick inet proto icmp icmp-type { echoreq, unreach }

# Allowed local services
pass in quick on ingress proto { tcp, udp } to (ingress:0) port { bootps, bootpc } set prio ( 4, 6 )
pass in quick proto { tcp, udp } to port domain set queue services set prio ( 4, 6 )
pass in quick proto tcp to (egress:0) port { www, https } set prio ( 4, 6 )

# Port redirection
pass in quick proto tcp to (egress:0) port { smtp, submission, imaps } rdr-to host01.shore.co.il set queue critical set prio ( 4, 6 )
pass out quick proto tcp to host01.shore.co.il port { submission, smtp, imaps } received-on ingress nat-to ingress set prio ( 4, 6 )
pass in quick proto { tcp, udp } to (egress:0) port bittorrent rdr-to kodi.shore.co.il set queue bulk set prio 1

# Allowd NAT and proxying
#pass in quick on ingress inet proto tcp to egress:network port www divert-to localhost port wwwproxy
pass in quick on ingress inet proto tcp to port ftp divert-to localhost port ftpproxy
pass in quick on ingress inet to !(ingress:0)