Sample PF for Stable

Here's a sample /etc/pf.conf for stable servers (do NOT use this for shell servers):

ExtIf = "vio0"
IP4 = "10.0.0.1"
IntIP4 = "192.168.0.1"
IP6 = "2001:db8::/80"
FlushUDP = "max-pkt-rate 10000/10 keep state (max 1000, source-track rule, max-src-nodes
 200, max-src-states 200)"
Flush = "keep state (max 1000, source-track rule, max-src-nodes 200, max-src-conn-rate 5
00/10 overload <badhosts> flush global)"
FlushStrict = "keep state (max 100, source-track rule, max-src-nodes 20, max-src-conn-ra
te 50/10 overload <badhosts> flush global)"

set skip on lo0
set loginterface $ExtIf
set ruleset-optimization profile
set syncookies adaptive (start 25%, end 12%)

table <ilines> persist file "/etc/pf/ilines"
table <badhosts> persist file "/etc/pf/badhosts"

# udp and icmp
block in log quick from <badhosts>
pass in log quick proto udp to {$IP4 $IP6} port domain $FlushUDP
pass in log quick proto udp to {$IP4 $IP6} port ntp $FlushUDP
pass in log quick proto udp to {$IP4 $IP6} port {isakmp ipsec-nat-t} $FlushUDP
block in log quick proto udp to {$IP4 $IP6}
block in log quick from urpf-failed
match in log all scrub (no-df random-id max-mss 1440)
pass in log quick on $ExtIf inet proto icmp icmp-type 8 code 0 $FlushUDP # icmp packets
pass in log quick on $ExtIf inet proto icmp icmp-type 3 code 4 $FlushUDP # icmp needfrag
 (MTU)
pass in log quick on $ExtIf proto ipv6-icmp $FlushUDP
# tcp
pass in log quick proto tcp to {$IP4 $IP6} port domain $Flush
pass in log quick proto tcp to {$IP4 $IP6} port auth $Flush
pass in log quick proto tcp to {$IP4 $IP6} port {smtp submission smtps imap imaps pop3 p
op3s} $Flush
pass in log quick proto tcp to {$IP4 $IP6} port {gopher http https} $Flush
pass in log quick proto tcp from <ilines> to {$IP4 $IP6} port { 6660:6669 6697 6997 7000
 9999 16667 16697 } #irc
pass in log quick proto tcp to {$IP4 $IP6} port { 6660:6669 6697 6997 7000 9999 16667 16
697 } $Flush #irc
pass in log quick proto tcp to {$IP4 $IP6} port { 1314 21314 1337 31337 } $Flush #bnc
pass in log quick proto tcp to {$IP4 $IP6} port 29173 $Flush #wraith
pass in log quick proto tcp to {$IP4 $IntIP4 $IP6} port ssh $FlushStrict

# road warrior vpn
pass in log inet proto udp to {$IP4 $IP6} port {isakmp, ipsec-nat-t} tag IKED
pass in log inet proto esp to {$IP4 $IP6} tag IKED
pass log on enc0 inet tagged ROADW
match out log on $ExtIf inet tagged ROADW nat-to $IP4
match in log quick on enc0 inet proto { tcp, udp } to port 53 rdr-to 127.0.0.1 port 53

block in log all
block out log on $IntIP4
pass out quick from {$IP4 $IP6} # allow non-spoofed packets
pass out quick proto tcp from $IntIP4 to port ssh
pass out quick proto {udp tcp} from $IntIP4 to port {domain}
pass out quick inet proto icmp from $IntIP4 # allow ICMP

You will then need to create a folder:

$ doas mkdir /etc/pf/

Then, add the list of ilines to /etc/pf/ilines.

198.251.89.130
198.251.83.183
209.141.39.184
209.141.39.228
198.251.84.240
198.251.80.229
198.251.81.119
209.141.39.173
198.251.89.91
198.251.81.44
209.141.38.137
198.251.81.133
2605:6400:0030:f8de::/64
2605:6400:0010:071b::/64
2605:6400:0020:0434::/64
2605:6400:0020:00b4::/64
2605:6400:0010:05bf::/64
2605:6400:0030:fc15::/64
2605:6400:0020:1290::/64
2605:6400:0020:0bb8::/64
2605:6400:0030:faa1::/64
2605:6400:0010:069d::/64
2605:6400:0020:05cc::/64
2605:6400:0010:00fe::/64

Afterwards, any badhosts can be added to /etc/pf/badhosts.

To load the new configuration:

$ doas pfctl -f /etc/pf.conf

See Also

PF GuideDDoS Filtering Guidetcpdump