ext_if="vtnet0"
extnet=$ext_if:network
tcp_services="{ www, https }"
icmp_types="echoreq"
jail_net="192.168.0.1/24"
jail_git="192.168.0.25/24"
jail_git6="fd00::25/24"
jail_net6="fd00::/8"
table <martians> const { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
              10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
              0.0.0.0/8, 240.0.0.0/4 }

table <copains> const { }
set loginterface $ext_if
set skip on lo0
set skip on lo1
set block-policy drop
scrub in on $ext_if all fragment reassemble
scrub on $ext_if all reassemble tcp

nat on $ext_if inet from  $jail_net to any -> $ext_if:0
nat on $ext_if inet6 from $jail_net6 to any -> $ext_if:0


rdr pass on $ext_if proto tcp from any to ($ext_if) port 9022 -> jail_git port 22
rdr pass on $ext_if proto tcp from any to ($ext_if) port 9418 -> jail_git port 9418


block in all
pass out all

block drop quick from <sshforce>
block drop in quick on $ext_if from <martians> to any
block drop out quick on $ext_if from any to <martians>
antispoof quick for { lo0 lo1 $ext_if }
pass quick from <copains> to any
anchor "blacklistd/*" in on $ext_if

pass log proto tcp from any to $extnet port 79
pass proto tcp from any to $extnet port $tcp_services \
    flags S/SA keep state

# Restrictive Brute force SSH
pass quick proto tcp from any to $extnet port ssh \
    flags S/SA keep state \
    (max-src-conn 15, max-src-conn-rate 5/3, \
    overload <sshforce> flush global)

pass in inet proto icmp all icmp-type $icmp_types
pass in inet6 proto icmp6 all