# interfaces
int_if = "vio0"
sync_if = "vio1"
ext_if = "vio2"
dmz_if = "vio3"
fsol_if = "tap0"

# networks
int_net = "(" $int_if:network ")"
ext_net = "(" $ext_if:network ")"
dmz_net = "(" carp145:network ")"

# my addrss
int_me = "(" $int_if:0 ")"
ext_me = "(" $ext_if:0 ")"

# options
set block-policy return
set loginterface $int_if
set skip on lo0

# assemble fragmented packets
match in all scrub (no-df)

# allow icmp
pass quick inet proto icmp
pass quick inet6 proto icmp6

# antispoof at this point
antispoof for lo0
antispoof for vio0

# admin connection and munin (internal)
pass in quick on $int_if proto tcp from $int_net to self port ssh keep state (no-sync)
pass in quick on $int_if proto tcp from $int_net to self port 4949 keep state (no-sync)

# internal network
block in quick from any to self
pass out quick on $int_if from $int_me to $int_net keep state (no-sync)

# dmz network
pass quick on $dmz_if proto carp
pass in quick on $dmz_if inet from $dmz_net to any
pass out quick on $dmz_if inet from any to $dmz_net

# allow myself to communicate dna network but don't use pfsync
pass out quick on $ext_if from self to any keep state (no-sync)

# pfsync interface
pass quick on $sync_if proto pfsync keep state (no-sync)

# fsol (router) network
pass in quick on $fsol_if proto ospf from any to any
pass out quick on $fsol_if proto ospf from self to any
pass in quick on $fsol_if inet from any to $dmz_net
pass out quick on $fsol_if inet from $dmz_net to any
pass out quick on $fsol_if inet from self to any

# drop rest
block in quick log all
block out quick log all