FreeBSD

#!/bin/sh
cmd="/sbin/ipfw -q"
wan_if="em0"

$cmd flush
$cmd pipe flush

$cmd allow ip from any to any via lo0
$cmd add check-state

$cmd add reset tcp from any to any established

# allow HTTP traffic
$cmd add allow tcp from any to me 80 setup in keep-state

# allow FTP
$cmd add allow tcp from any to me 21 setup in keep-state
$cmd add allow tcp from any to me 20 setup in keep-state
$cmd add allow tcp from me 20 to any setup out keep-state

# allow ping
$cmd add allow icmp from any to me icmptypes 8 in keep-state

# allow traffic to server
$cmd add allow tcp from me to any setup out keep-state
$cmd add allow ip from me to any out keep-state
$cmd add allow tcp from any to me setup in keep-state
$cmd add allow ip from any to me in keep-state

# deny everything else
$cmd add deny tcp from any to any setup
$cmd add deny ip from any to any

wan_if="em0"
priv_nets="{10.0.0.0.8, 172.16.0.0/12, 192.168.0.0/16, 224.0.0.0/4, 240.0.0.0/5, 127.0.0.0/8, 0.0.0.0}"
tcp_ports="{ 20, 21, 22, 25, 53, 80, 110, 143 }"
udp_ports="{ 53 }"
icmp_types="8"

table <rfc1918> const { 192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12 }
table <blocklist> persist file "/etc/blocklist.txt"

set timeout { interval 10, frag 30 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
set timeout { adaptive.start 0, adaptive.end 0 }
set limit { states 15000, frags 30000 }
set optimization normal
set block-policy drop
set fingerprints "/etc/pf.os"
set loginterface $wan_if
set require-order yes

scrub in on $wan_if all no-df fragment reassemble min-ttl 15 max-mss 1460
scrub in on $wan_if all no-df
scrub    on $wan_if  all reassemble tcp

block in quick on $ext_if from $priv_nets

pass in all
pass out all

pass quick on lo0 all

block in log all
block out log all

block in quick on $wan_if from <blocklist> to any
block in quick on $wan_if from <rfc1918> to any

pass in on $wan_if proto tcp from any to $wan_if port $tcp_ports flags S/SA synproxy state
pass in on $wan_if proto udp from any to $wan_if port $udp_ports keep state
pass in on $wan_if inet proto icmp all icmp-type $icmp_types keep state
pass in inet proto icmp icmp-type 8 code 0 keep state



pass in quick on $wan_if proto tcp from any to any port > 49151  keep state

pass out on $wan_if proto tcp all modulate state flags S/SA
pass out on $wan_if proto { udp, icmp } all keep state