protocols       = "{ tcp, udp }"
blocked_ports   = "{ syslog, epmd, amqp, couchdb }"
tcp_services    = "{ domain, http, https, rsync, 15000 }"
udp_services    = "{ domain }"
dhcp		= "{ bootpc, bootps, tftp, dhcpv6-client, dhcpv6-server }"
zerotier	= "{ 9993, 9994, 9995, 9996, 9997, 9998 }"

extl_if = "igb0"
local_if= "lagg0"
intl_if = "lo0"
jail_if = "lo1"
koan_if = "ztagim5o45dhe4c"
zero_if = "zt1flo98dm17np8"

internet = $extl_if:network
local_net= $local_if:network
intl_net = $intl_if:network
jail_net = $jail_if:network
zero_net = "{ fc7b:c4d6:6be2:8e50:6c98::/40 }"
koan_net = "{ fca2:927d:4de2:8e50:6c98::/40 }"

set limit { states 200000, frags 40000, src-nodes 40000 }
set timeout { adaptive.start 180000, adaptive.end 200000 }

set skip on { $intl_if, $jail_if }
set skip on { $zero_if, $koan_if }

table <badhosts> persist file "/etc/pf.blocklist"


nat on $extl_if inet from   $local_net -> ($extl_if:0)
nat on $extl_if inet from   $jail_net  -> ($extl_if:0)


rdr pass on $extl_if proto tcp from any to any port { http https 15000 32400 } -> 172.16.1.4 
rdr pass on $extl_if proto udp from any to $extl_if port { 7777 9000 } -> 172.16.1.4 

block in  log all

pass  in  log quick on $extl_if proto tcp from any to any port { http https 32400 }
pass in quick on $extl_if proto {udp, tcp} from any to any port $zerotier
pass in quick on $extl_if inet proto icmp from any to any
pass in quick on $extl_if proto tcp from any to any port { http https domain }

pass in  quick on $extl_if proto { tcp }      from any to $extl_if port $tcp_services

pass in all
pass out all