#	$OpenBSD: pf.conf,v 1.55 2017/12/03 20:40:04 sthen Exp $
#
# See pf.conf(5) and /etc/examples/pf.conf

# don't filter on the loopback interface
set skip on lo

# scrub incoming packets
match in all scrub (no-df)

# set up a default deny policy
block all

# activate spoofing protection for all interfaces
block in quick from urpf-failed

# pass tcp, udp, and icmp out on the external (internet) interface.
# tcp connections will be modulated, udp/icmp will be tracked statefully.
pass out on egress proto { tcp udp icmp } all modulate state

# wireguard
set skip on wg0
pass out quick on egress from wg0:network to any nat-to (egress)

# ssh
pass in proto tcp to port 22

# By default, do not permit remote connections to X11
block return in on ! lo0 proto tcp to port 6000:6010

# Port build user does not need network
block return out log proto {tcp udp} user _pbuild

# deckard
#match out on em0 from 192.168.1.0/24 to any nat-to 192.168.1.201
#pass on em0 from 192.168.1.0/24 to any
#pass in on em0 inet proto tcp to 192.168.1.201 port 444:17099 rdr-to 192.168.1.16