# Options
set skip on lo

# Macros and Tables
table <abusive_hosts> persist
{% if firewall_whitelist_enable %}
table <whitelist> persist file "/etc/pf.whitelist"
{% endif %}
table <pfbadhost> persist file "/etc/pf-badhost.txt"
{% if firewall_tcp_services|length > 1 %}
tcp_in = "{ {% for port in firewall_tcp_services  %} {{ port }} {% endfor %} }"
{% endif %}

{% if firewall_udp_services|length > 1 %}
udp_in = "{ {% for port in firewall_udp_services  %} {{ port }} {% endfor %} }"
{% endif %}

{% if firewall_whitelist_enable %}
pass in quick from <whitelist>
{% endif %}
block in quick on egress from <pfbadhost>
block out quick on egress to <pfbadhost>

# Quick rules
pass in quick proto tcp to port ssh flags S/SA keep state \
    (max-src-conn {{ firewall_max_ssh_src_conn }}, \
    max-src-conn-rate {{ firewall_max_ssh_src_conn_rate }}, \
    overload <abusive_hosts> flush)
    
pass in quick inet proto icmp icmp-type echoreq

# Ruleset
block log
pass out on egress
block in quick log from <abusive_hosts> 

{% if firewall_tcp_services|length > 1 %}
pass in proto tcp to port $tcp_in flags S/SA keep state \
    (max-src-conn {{ firewall_max_tcp_src_conn }}, \
    max-src-conn-rate {{ firewall_max_tcp_src_conn_rate }}, \
    overload <abusive_hosts> flush)
{% endif %}

{% if firewall_udp_services|length > 1 %}
pass in proto udp to port $udp_in 
{% endif %}

# Ansible Ruleset
anchor ansible
load anchor ansible from "/etc/anchors/ansible"

# Custom Rules
anchor custom
load anchor custom from "/etc/anchors/custom"