Basic FreeBSD PF firewall for web server - /etc/pf.conf

## pf.conf
# vim: set ft=pf
# /etc/pf.conf

ext_if="vtnet0"

webports = "{http, https}"
int_tcp_services = "{domain, ntp, smtp, www, https, ftp}"
int_udp_services = "{domain, ntp}"

set skip on lo
set loginterface $ext_if

# Normalization
scrub in all random-id fragment reassemble

block return in log all
block out all

antispoof quick for $ext_if

# Block 'rapid-fire brute force attempts
table <bruteforce> persist
block quick from <bruteforce>

# ftp-proxy needs to have an anchor
anchor "ftp-proxy/*"

# SSH is listening on port 26
pass in quick proto tcp to $ext_if port 26 keep state (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush global)

# Webserver
pass proto tcp from any to $ext_if port $webports

# Allow essential outgoing traffic
pass out quick on $ext_if proto tcp to any port $int_tcp_services
pass out quick on $ext_if proto udp to any port $int_udp_services
	# vim: set ft=pf
	# /etc/pf.conf

	ext_if="vtnet0"

	webports = "{http, https}"
	int_tcp_services = "{domain, ntp, smtp, www, https, ftp}"
	int_udp_services = "{domain, ntp}"

	set skip on lo
	set loginterface $ext_if

	# Normalization
	scrub in all random-id fragment reassemble

	block return in log all
	block out all

	antispoof quick for $ext_if

	# Block 'rapid-fire brute force attempts
	table <bruteforce> persist
	block quick from <bruteforce>

	# ftp-proxy needs to have an anchor
	anchor "ftp-proxy/*"

	# SSH is listening on port 26
	pass in quick proto tcp to $ext_if port 26 keep state (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush global)

	# Webserver
	pass proto tcp from any to $ext_if port $webports

	# Allow essential outgoing traffic
	pass out quick on $ext_if proto tcp to any port $int_tcp_services
	pass out quick on $ext_if proto udp to any port $int_udp_services