# Variaveis
#-----------------------------
int_int="rl0"
int_ext="rl1"
rede="192.168.10.0"

PING = "echoreq"
TCP_IN = "{ ssh, ftp, 20, 21, 443 }"
#UDP_IN = "{  }"


TCP_OUT = "{ ssh, 20, 21, ftp, 443, http, ntp, 8080, 5999 }"
UDP_OUT = "{ domain, ntp }"

# Link
down="2.5Mb"
uplo="2.5Mb"


server2="192.168.10.10"
server1="127.0.0.1"
#----------------------------------------------------------------------------
# tabela de Ips internos

table <baixa> { 192.168.10.1, 192.168.10.5, 192.168.10.12, 192.168.10.17, 192.168.10.21, 192.168.10.23, 192.168.10.30 192.168.10.38 192.168.10.42 }

table <bmedia> { }
      
table <media> {  }

table <alta> { 192.168.10.10, 192.168.10.27, 192.168.10.11 }

table <center> { 192.168.254.0/24 }

# normalizando os pacotes
#----------------------------------------

set timeout { tcp.first 60 tcp.opening 15 tcp.established 86400 \
            tcp.closing 300 tcp.finwait 15 tcp.closed 15 }
set timeout { udp.first 30 udp.single 15 udp.multiple 30 }
set timeout { icmp.first 10 icmp.error 5 }
set timeout { other.first 30 other.single 15 other.multiple 30 }
set timeout { frag 30 interval 10 }
set limit { states 50000 frags 25000 }
set optimization aggressive
set loginterface $int_ext
set loginterface $int_int
set loginterface $int_ext
set block-policy return
set require-order yes
scrub all fragment reassemble random-id no-df

# Habilita enfileiramento 
#------------------------------------------------
# Upload
altq on $int_ext cbq bandwidth $uplo queue  { baixa bmedia media alta center }
   queue baixa   bandwidth 128Kb   cbq(default)
   queue bmedia      bandwidth 128Kb   priority 1 
   queue media      bandwidth 200Kb   priority 2 
   queue alta       bandwidth 350Kb   priority 3
   queue center       bandwidth 512Kb   priority 4 

# Download
# define os parametros para as subfilas.
altq on $int_ext cbq bandwidth $down queue  { baixa_in bmedia_in media_in alta_in center_in }
    queue baixa_in   bandwidth 200Kb   cbq(default)
    queue bmedia_in     bandwidth 200Kb   priority 1
    queue media_in      bandwidth 300Kb   priority 2
    queue alta_in       bandwidth 512Kb   priority 3
    queue center_in     bandwidth 768Kb   priority 4 


# Fazendo o NAT
nat on $int_ext from $rede to any -> $int_ext
nat on $int_ext from <baixa> to any -> $int_ext
nat on $int_ext from <bmedia> to any -> $int_ext
nat on $int_ext from <media> to any -> $int_ext
nat on $int_ext from <alta>  to any -> $int_ext
nat on $int_ext from <center>  to any -> $int_int


# Redicrecionamento
#--------------------------------
rdr on $int_ext proto tcp from any to any port 8080 -> $server2 port 8080
rdr on $int_int proto tcp from any to any port 21 ->   $lo     port 8021
rdr on $int_ext proto tcp from any to any port 6667 -> $server2 port 6667
rdr on $int_ext proto tcp from any to any port 6891 -> $server2 port 6891
rdr on $int_ext proto tcp from any to any port 6893 -> $server2 port 6893
rdr on $int_ext proto tcp from any to any port 6900 -> $server2 port 6900
rdr on $int_ext proto tcp from any to any port 5900 -> $server2 port 5900
rdr on $int_ext proto tcp from any to any port 1213 -> $server2 port 1213
rdr on $int_ext proto tcp from any to any port 1214 -> $server2 port 1214
rdr on $int_ext proto tcp from any to any port 1832 -> $server2 port 1832
rdr on $int_ext proto tcp from any to any port 3094 -> $server2 port 3094
rdr on $int_ext proto tcp from any to any port 3622 -> $server2 port 3622
rdr on $int_ext proto udp from any to any port 1213 -> $server2 port 1213
rdr on $int_ext proto udp from any to any port 1214 -> $server2 port 1214
rdr on $int_ext proto udp from any to any port 1832 -> $server2 port 1832
rdr on $int_ext proto udp from any to any port 3094 -> $server2 port 3094
rdr on $int_ext proto udp from any to any port 3622 -> $server2 port 3622
#rdr on $int_int proto tcp from any to any port 80 -> $server1 port 3128
#rdr on $int_int proto udp from any to any port 80 -> $server1 port 3128

# ... sessão de filtragem

# blockeando tudo por default
block in log on $int_ext from any to any

# bloqueando spoof
antispoof for { $int_ext } inet

# bloqueando scanners
block drop in quick on { $int_ext } from any os { NMAP }

# bloqueando trafego ipv6
block log quick inet6

#Liberando loopback
pass quick on lo0 all

# liberando ping/traceroute
pass out log on $int_ext inet proto icmp all icmp-type 8 code 0 keep state
pass in log on $int_ext inet proto icmp all icmp-type 8 code 0 keep state

# Liberando portas
#INCOMING
#TCP
pass in quick on $int_ext inet proto tcp from any to $int_ext port $TCP_IN flags S/SA keep state
#UDP
#pass in quick on $int_ext inet proto udp from any to $int_ext port $UDP_IN keep state
#PING
pass in quick on $int_ext inet proto icmp from any to $int_ext icmp-type $PING keep state

pass in on $int_ext inet proto { tcp udp } from any to any port 22
pass in on $int_ext inet proto { tcp udp } from any to any port 21
pass in on $int_ext inet proto { tcp udp } from any to any port 20
pass in on $int_ext inet proto { tcp udp } from any to any port 25
pass in on $int_ext inet proto { tcp udp } from any to any port 53
pass in on $int_ext inet proto { tcp udp } from any to any port 80
pass in on $int_ext inet proto { tcp udp } from any to any port 443
pass in on $int_ext inet proto { tcp udp } from any to any port 110
pass in on $int_ext inet proto { tcp udp } from any to any port 8080
pass in on $int_ext inet proto { tcp udp } from any to any port 6667
pass in on $int_ext inet proto { tcp udp } from any to any port 6891
pass in on $int_ext inet proto { tcp udp } from any to any port 6893
pass in on $int_ext inet proto { tcp udp } from any to any port 6900
pass in on $int_ext inet proto { tcp udp } from any to any port 1213
pass in on $int_ext inet proto { tcp udp } from any to any port 1214
pass in on $int_ext inet proto { tcp udp } from any to any port 1832
pass in on $int_ext inet proto { tcp udp } from any to any port 3094
pass in on $int_ext inet proto { tcp udp } from any to any port 3622
pass in on $int_ext inet proto { tcp udp } from any to any port 2216
pass in on $int_ext inet proto tcp from port 20 to ($int_ext) user proxy flags S/SA keep state

#OUTGOING
#EXTERNAL INTERFACE

#TCP
pass out quick on $int_ext inet proto tcp from $int_ext to any port $TCP_OUT flags S/SA  keep state

#UDP
pass out quick on $int_ext inet proto udp from $int_ext to any port $UDP_OUT keep state

#ICMP
pass out quick on $int_ext inet proto icmp from $int_ext to any icmp-type $PING keep state

# Liberando acesso
pass in log on $int_ext from <baixa> to any queue baixa_in
pass in log on $int_ext from <bmedia> to any queue bmedia_in
pass in log on $int_ext from <media> to any queue media_in
pass in log on $int_ext from <alta> to any queue alta_in
pass in log on $int_ext from <center> to any queue center_in

pass in log on $int_ext from $baixa to any  
pass in log on $int_ext from $bmedia to any 
pass in log on $int_ext from $media to any 
pass in log on $int_ext from $alta to any  
pass in log on $int_ext from $center to any