wifi_if = "wi0" ext_if = "de0" icmp_types ="echoreq" tcp_services = "{ 22, 80, 113 }" priv_nets = "{127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8}" scrub all nat on $ext_if from $wifi_if:network to any -> ($ext_if) rdr on wifi_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021 block all pass quick on lo0 all block drop in quick on $ext_if from $priv_nets to any block drop out quick on $ext_if from any to $priv_nets pass in on $ext_if inet proto tcp from any to ($ext_if) \ port $tcp_services flags S/SA keep state pass in inet proto icmp all icmp-type $icmp_types keep state pass in on $wifi_if from $wifi_if:network to any keep state pass out on $wifi_if from any to $wifi_if:network keep state pass out on $ext_if proto tcp all modulate state flags S/SA pass out on $ext_if proto {udp, icmp } all keep state block on $wifi_if all #ovo sam unio pass in quick on $wifi_if proto tcp from any to $wifi_if port = ssh keep state pass in quick on $wifi_if proto udp from any to $wifi_if port = domain pass out quick on $wifi_if proto { tcp udp icmp } from any to $wifi_if:network keep state #zavrsetak anchor "authpf/*"