#Filtres badhosts et sshguard
table <pfbadhost> persist file "/etc/pf-badhost.txt"
table <sshguard> persist

## Table pour les batards de bruteforceurs
table <bruteforce> persist


set block-policy drop                  # bloque silencieusement
set skip on lo                         # En local on s'en fou on surveille rien
set limit table-entries 400000
set limit states 100000



## Traitement des paquets ##
# Paquets partiels on vire
match all scrub (max-mss 1440 no-df random-id reassemble tcp)
antispoof quick for egress         # Protection vol d'ip
antispoof quick for lo0            # Protection vol d'ip

# Port build user does not need network
block return out log proto {tcp udp} user _pbuild

# On bloque tout par défault
block

block quick on egress from <pfbadhost>
block in from <sshguard>
block log quick from <bruteforce> label "brutes"

pass out on egress proto { tcp udp icmp ipv6-icmp } modulate state

#déclaration des variables
web_ports = "{ http https }"
mail_ports = "{ smtp submission imap }"
xmpp_ports = "{ 5222 5269 }"
ssh_port = "42420"

## Anti bruteforce
### SSH
#### Limite à 5 connexions simultanne par IP source
#### Limite à 15 tentatives de connexion toutes les 5 minutes
pass in on egress proto tcp to port $ssh_port  modulate state \
  (max-src-conn 5, max-src-conn-rate 15/5, overload <bruteforce> flush global)

#web
pass in on egress proto tcp to port $web_ports modulate state \
    (max-src-conn 60, max-src-conn-rate 60/1, overload <bruteforce> flush global)

# mails
## antispam
pass in on egress proto tcp to port  $mail_ports modulate state \
  (max-src-conn-rate 20/5, overload <bruteforce> flush global)
pass out log on egress proto tcp to any port smtp

# XMPP
pass in on egress proto tcp to port $xmpp_ports modulate state \
  (max-src-conn 15, max-src-conn-rate 15/5, overload <bruteforce> flush global)