wan_if="em0"
priv_nets="{10.0.0.0.8, 172.16.0.0/12, 192.168.0.0/16, 224.0.0.0/4, 240.0.0.0/5, 127.0.0.0/8, 0.0.0.0}"
tcp_ports="{ 20, 21, 22, 25, 53, 80, 110, 143 }"
udp_ports="{ 53 }"
icmp_types="8"

table <rfc1918> const { 192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12 }
table <blocklist> persist file "/etc/blocklist.txt"

set timeout { interval 10, frag 30 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
set timeout { adaptive.start 0, adaptive.end 0 }
set limit { states 15000, frags 30000 }
set optimization normal
set block-policy drop
set fingerprints "/etc/pf.os"
set loginterface $wan_if
set require-order yes

scrub in on $wan_if all no-df fragment reassemble min-ttl 15 max-mss 1460
scrub in on $wan_if all no-df
scrub    on $wan_if  all reassemble tcp

block in quick on $ext_if from $priv_nets

pass in all
pass out all

pass quick on lo0 all

block in log all
block out log all

block in quick on $wan_if from <blocklist> to any
block in quick on $wan_if from <rfc1918> to any

pass in on $wan_if proto tcp from any to $wan_if port $tcp_ports flags S/SA synproxy state
pass in on $wan_if proto udp from any to $wan_if port $udp_ports keep state
pass in on $wan_if inet proto icmp all icmp-type $icmp_types keep state
pass in inet proto icmp icmp-type 8 code 0 keep state



pass in quick on $wan_if proto tcp from any to any port > 49151  keep state

pass out on $wan_if proto tcp all modulate state flags S/SA
pass out on $wan_if proto { udp, icmp } all keep state

device pf
device pflog
device pfsync

# altq support
options ALTQ
options ALTQ_CBQ
options ALTQ_RED
options ALTQ_RIO
options ALTQ_HFSC
options ALTQ_PRIQ

# other optimizations
options HZ=1000
options DEVICE_POLLING