#	$OpenBSD: pf.conf,v 1.25 2004/01/29 18:54:29 todd Exp $
#	$DragonFly: src/etc/pf.conf,v 1.2 2005/12/13 08:38:55 swildner Exp $
#
# See pf.conf(5) and /usr/share/examples/pf for syntax and examples.

ext_if="em0"
int_if="em1"
vpn_if="tun0"

#table <spamd> persist
#table <spamd-white> persist

scrub in

#nat on $vpn_if from ($int_if) -> 172.29.0.22 #($vpn_if)
nat on $ext_if from !($ext_if) -> ($ext_if:0)
nat on $vpn_if from !($vpn_if) -> ($vpn_if:0)
#rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
#rdr pass on $ext_if proto tcp from <spamd> to port smtp \
#	-> 127.0.0.1 port spamd
#rdr pass on $ext_if proto tcp from !<spamd-white> to port smtp \
#	-> 127.0.0.1 port spamd

#block in
pass out keep state

pass quick on { lo $int_if }
#antispoof quick for { lo $int_if }

pass in on $ext_if proto tcp to ($ext_if) port ssh keep state
#pass in on $ext_if proto tcp to ($ext_if) port > 49151 user proxy keep state
#pass in log on $ext_if proto tcp to ($ext_if) port smtp keep state
#pass out log on $ext_if proto tcp from ($ext_if) to port smtp keep state

# allow ICMP
pass proto icmp keep state
pass proto icmp6 keep state

# OpenVPN
pass in on $ext_if proto udp to ($ext_if) port 1194:1195 keep state
pass in on $int_if keep state
pass in on $vpn_if keep state
pass on $int_if proto icmp keep state