#
# This is not a good ruleset and/or good layout.  Its only purpose is to
# show syntax highlighting with pf.vim.
#
# pf.vim can be downloaded from:
# http://www.vim.org/script.php?script_id=341
#
# Don't forget to vote to improve the script karma, which will increase
# its chances to end up in Vim proper.
#


### Variables ###

ext_if = 'fxp0'         # Internet
int_if = 'fxp1'         # testlan

# Netmasks have a different color.
testlan      = "192.168.101.0/24"
testlan_real = "60.60.60.0/26"

# IPv4 and IPv6 addresses are recognized.
fw_internet     = "192.168.201.2"
fw_testlan      = "192.168.101.1"
fw_testlan_real = "60.60.60.1"

fw_testlan6 = "3FFA:B80:840::/48"
blackbox6   = "3FFA:B80:83B:2::1"

testlan_mgmt = "192.168.101.86, 192.168.101.87, 192.168.101.88/28
                192.168.101.96/29, 192.168.101.100"

# Error: forgot opening curly bracket, also works outside quotes.
curly_err = "192.168.1.1, 192.168.1.2 }"


### Set ###

set limit states 10000, frags 2000
set loginterface $ext_if
set optimization aggressive
set timeout tcp.closing 300, other.first 100


### NAT ###

# Use XXX or TODO inside a comment for extra attention.

scrub in all

nat on $ext_if inet from $testlan     to any -> $fw_testlan_real
nat on $ext_if inet from $fw_internet to any -> $fw_testlan_real


### Rules ###

# Default block
block in  log all
block out log all

pass in  quick on lo0 all keep state
pass out quick on lo0 all keep state

antispoof log quick for $int_if inet
pass in  quick on $int_if inet all keep state
pass out quick on $int_if inet all keep state

# Line continuation chars.
pass out quick on $ext_if proto { tcp, udp, icmp }              \
         from { $fw_internet, $fw_testlan_real, $testlan_mgmt } \
         to any keep state

# The most-well-known services are recognized.
pass in  quick on $ext_if proto tcp \
        from any to $ext_if port { ssh, rsync } flags S/SAFR keep state