kylejohnson/pf.conf

## pf.conf
int_if="fxp0"
ext_if="vr0"
camera_fd="192.168.11.20"
xbox_live_tcp_ports = "{ 53, 80, 3074 }"
xbox_live_udp_ports = "{ 53, 88, 500, 3074, 3544, 4500, 8083, 1780, 49164 }"
xbox = "192.168.11.5"

# options
set block-policy return
set loginterface egress
set skip on lo0

# Match traffic headed out on egress from not egress
match out log on egress from  $xbox to any nat-to ($ext_if:0) static-port
match out log on egress from !$xbox to any nat-to ($ext_if:0) port 1024:65535

# Block all packets in - even from the LAN
block in log

# Allow all packets out
pass out quick

# Spoofed address protection
antispoof quick for { lo $int_if }

# Allow SSH into the firewall
pass in on egress inet proto tcp from any to (egress) port ssh
# OpenVPN
pass in on egress inet proto udp from any to (egress) port 1194

# Port forwarding #
# Camera - Front Door
pass in on egress inet proto tcp to (egress) port 8080 rdr-to { $camera_fd } port 80
# rTorrent
pass in on egress inet proto tcp to (egress) port 49164:49164 rdr-to usenet01.gnulnx.home
# XBOX
#pass in log on egress inet proto { tcp, udp } from any to (egress) port $xbox_live_udp_ports rdr-to $xbox
#pass in log on egress inet proto { tcp, udp } from any to (egress) port $xbox_live_tcp_ports rdr-to $xbox
pass in quick on egress proto tcp from any to (egress) port $xbox_live_tcp_ports keep state rdr-to $xbox
pass in quick on egress proto udp from any to (egress) port $xbox_live_udp_ports keep state rdr-to $xbox
# Port forwarding #

# Allow ping
pass in inet proto icmp all icmp-type echoreq

# Allow traffic out to the internet
pass in on $int_if

# Allow OpenVPN traffic
pass in on tun0
	int_if="fxp0"
	ext_if="vr0"
	camera_fd="192.168.11.20"
	xbox_live_tcp_ports = "{ 53, 80, 3074 }"
	xbox_live_udp_ports = "{ 53, 88, 500, 3074, 3544, 4500, 8083, 1780, 49164 }"
	xbox = "192.168.11.5"

	# options
	set block-policy return
	set loginterface egress
	set skip on lo0

	# Match traffic headed out on egress from not egress
	match out log on egress from $xbox to any nat-to ($ext_if:0) static-port
	match out log on egress from !$xbox to any nat-to ($ext_if:0) port 1024:65535

	# Block all packets in - even from the LAN
	block in log

	# Allow all packets out
	pass out quick

	# Spoofed address protection
	antispoof quick for { lo $int_if }

	# Allow SSH into the firewall
	pass in on egress inet proto tcp from any to (egress) port ssh
	# OpenVPN
	pass in on egress inet proto udp from any to (egress) port 1194

	# Port forwarding #
	# Camera - Front Door
	pass in on egress inet proto tcp to (egress) port 8080 rdr-to { $camera_fd } port 80
	# rTorrent
	pass in on egress inet proto tcp to (egress) port 49164:49164 rdr-to usenet01.gnulnx.home
	# XBOX
	#pass in log on egress inet proto { tcp, udp } from any to (egress) port $xbox_live_udp_ports rdr-to $xbox
	#pass in log on egress inet proto { tcp, udp } from any to (egress) port $xbox_live_tcp_ports rdr-to $xbox
	pass in quick on egress proto tcp from any to (egress) port $xbox_live_tcp_ports keep state rdr-to $xbox
	pass in quick on egress proto udp from any to (egress) port $xbox_live_udp_ports keep state rdr-to $xbox
	# Port forwarding #

	# Allow ping
	pass in inet proto icmp all icmp-type echoreq

	# Allow traffic out to the internet
	pass in on $int_if

	# Allow OpenVPN traffic
	pass in on tun0