#	$OpenBSD: pf.conf,v 1.55 2017/12/03 20:40:04 sthen Exp $
#
# See pf.conf(5) and /etc/examples/pf.conf

ext_if = "em0"
ext_ip = "192.168.1.16"
wg_if = "wg0"
wg_port = "55555"
as_if = "{" $wg_if lo "}"

set skip on lo

match in on $ext_if scrub (no-df random-id max-mss 1440)

#antispoof for $as_if
antispoof for lo

block in from no-route to any
block in from urpf-failed to any
block in quick on $ext_if from any to 255.255.255.255

table <pfbadhost> persist file "/etc/pf-badhost.txt"
block drop in quick on egress from <pfbadhost>
block return out quick on egress to <pfbadhost>

pass quick log on $ext_if proto tcp from $ext_if:network to any port ssh label "SSH"

#block return	# block stateless traffic
#block in
pass in		# establish keep-state
pass out from any to any
pass out proto tcp from any to any modulate state

# wireguard
# open wireguard port
pass in on $ext_if proto udp from any to any port $wg_port
# allow communication between wireguard peers
pass on $wg_if
# allow clients connected to wg0 to tunnel their outside world traffic
pass out on $ext_if inet from ($wg_if:network) nat-to ($ext_if:0)

# allow dns from local hosts
pass in proto udp from $ext_if:network to any port domain

# By default, do not permit remote connections to X11
block in on ! lo0 proto tcp to port 6000:6010

# Port build user does not need network
block return out log proto {tcp udp} user _pbuild