Net_iface= "tun0"
Int_iface= "em0"
Loop= "lo0"
 
gw= "10.0.0.1"
 
Int_Net= "10.0.0.0/24"
 
No_route= "{ 127.0.0.1/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 255.255.255.255/32 }"
 
ServicesTCP= "22"
ServicesUDP= "6667"
 
#--- OPTIONS ---------------------------------------------
 
# On souhaite pouvoir réaliser des statistiques
# sur l' interface tun0.
set loginterface tun0
 
# On limite le nombre d' entrées dans les tables de suivi
# de connexion et dans celle de normalisation.
set limit { states 10000, frags 5000 }
 
set optimization aggressive
set block-policy drop
 
 
#--- NORMALISATION -----------------------------------------
scrub in all
 
#--- REGLES DE TRANSLATION D' ADRESSES ---------------------
nat on tun0 from $Int_Net to any -> $Net_iface
 
#--- REGLES DE FILTRAGE ------------------------------------
 
# Politique par défaut.
block in  log all
block out log all
 
 
antispoof for $Net_iface
 
# Règles pour LoOpback
antispoof for $Loop
pass in  quick on $Loop all
pass out quick on $Loop all
 
# Lan
pass in  quick on $Int_iface all
pass out quick on $Int_iface all
 
 
# On bloque les scans nmap et les tentatives  
# de prise d' empreinte de pile tcp/ip.
block in log quick on $Net_iface inet proto tcp from any to any flags FUP/FUP
block in log quick on $Net_iface inet proto tcp from any to any flags SF/SFRA
block in log quick on $Net_iface inet proto tcp from any to any flags /SFRA
 
# On bloque les adresses non routables.
block in  log quick on $Net_iface from $No_route to any
block out log quick on $Net_iface from any to $No_route
 
 
# Serveur WEB:  
#pass in quick on $Net_iface proto tcp from any to any port = 80 flags S/SA #keep state  
# Serveur SSH:
#pass in quick on $Net_iface proto tcp from any to any port = 22 flags S/SA #keep state
# Icmp:
pass  in quick on $Net_iface inet proto icmp all icmp-type 8 code 0 keep state
pass  in quick on $Net_iface inet proto icmp all icmp-type 11 keep state
block in log quick on $Net_iface proto icmp from any to any  
 
 
pass out quick on $Net_iface inet proto tcp flags S/SA keep state
pass out quick on $Net_iface inet proto udp all keep state
pass out quick on $Net_iface inet proto icmp keep state  

scrub in all fragment reassemble
block drop in log all
block drop out log all
block drop in on ! tun0 inet from 212.194.141.130 to any
block drop in inet from 212.194.141.130 to any
block drop in on ! lo0 inet from 127.0.0.0/8 to any
block drop in on ! lo0 inet6 from ::1 to any
pass in quick on lo0 all
pass out quick on lo0 all
pass in quick on em0 all
pass out quick on em0 all
block drop in log quick on tun0 inet proto tcp all flags FPU/FPU
block drop in log quick on tun0 inet proto tcp all flags FS/FSRA
block drop in log quick on tun0 inet proto tcp all flags /FSRA
block drop in log quick on tun0 inet from 127.0.0.0/8 to any
block drop in log quick on tun0 inet from 192.168.0.0/16 to any
block drop in log quick on tun0 inet from 172.16.0.0/12 to any
block drop in log quick on tun0 inet from 10.0.0.0/8 to any
block drop in log quick on tun0 inet from 255.255.255.255 to any
block drop out log quick on tun0 inet from any to 127.0.0.0/8
block drop out log quick on tun0 inet from any to 192.168.0.0/16
block drop out log quick on tun0 inet from any to 172.16.0.0/12
block drop out log quick on tun0 inet from any to 10.0.0.0/8
block drop out log quick on tun0 inet from any to 255.255.255.255
block drop in quick on tun0 inet proto tcp from any to any port = epmap
block drop in quick on tun0 inet proto udp from any to any port 135 >< 139
pass in quick on tun0 inet proto icmp all icmp-type echoreq code 0 keep state
pass in quick on tun0 inet proto icmp all icmp-type timex keep state
block drop in log quick on tun0 proto icmp all
pass out quick on tun0 inet proto tcp all flags S/SA keep state
pass out quick on tun0 inet proto udp all keep state
pass out quick on tun0 inet proto icmp all keep state