pf.conf

outside="{ em0.900 gif0 }"
vpn="{ gre0 gre1 }"
trust="em0"
untrust="em0.1003"

hev6_end="184.105.253.10"

sumo="172.20.10.32"
sumo6="2001:470:b896::32"
voip="172.20.10.34"
voipms="74.54.54.178"

table <sshguard> persist
table <bogon> persist file '/usr/local/etc/bogon-bn-agg.txt'
table <drones> persist file "/usr/local/etc/drones.txt"

set skip on lo

scrub in

nat on em0.900 inet from !(em0.900) -> (em0.900:0)

# for voip.ms
rdr on em0.900 inet proto udp from $voipms to port { 5060 10000:20000 } tag REDIR -> $voip

block log all

block in log quick on $outside from <bogon>
block in log quick on $outside from <sshguard>

pass quick proto icmp6
pass quick inet6 proto udp from any to (em0.900) port 546

antispoof log quick for lo
antispoof log quick for $trust
antispoof log quick for $untrust
antispoof log quick for $outside

# Allow in some local destined services
pass in on $outside inet proto icmp icmp-type { echoreq echorep unreach squench timex } tag ALLOW
pass in on $outside proto ipv6 from $hev6_end tag ALLOW
pass in on $outside tagged REDIR
pass in on $outside proto tcp to port ssh tag ALLOW
pass in on $outside proto { tcp udp } to port 655 tag ALLOW
pass in on $outside proto tcp to $sumo6 port 7650:7700 tag ALLOW

# incoming ike and esp
pass in on $outside proto udp from <drones> to any port isakmp tag ALLOW
pass in on $outside proto esp from <drones> tag ALLOW

# Classify incoming traffic
pass in quick on $vpn tag VPN
pass in quick on $trust tag TRUST
pass in log quick on $untrust tag UNTRUST

# Allow traffic out from internal nets
pass out quick on $outside

# Allow trusted areas to talk to each other, and let redirected traffic in
pass out quick on $trust tagged ALLOW
pass out quick on $trust tagged TRUST
pass out quick on $trust tagged REDIR
pass out quick on $trust tagged VPN

# Let the routers talk into the trusted space
pass out quick on em0 from em0
pass out quick on tun0 from (tun0)
pass out quick on em0.1003 from (em0.1003)