# interfaces
int_if = "vio0"
ext_if = "vio1"

# networks
int_net = "(" $int_if:network ")"
ext_net = "(" $ext_if:network ")"

# my addrss
int_me = "(" $int_if:0 ")"
ext_me = "(" $ext_if:0 ")"

# options
set block-policy return
set loginterface $int_if
set skip on lo0

# assemble fragmented packets
match in all scrub (no-df)

# ftp proxy
anchor "ftp-proxy/*"

# nat outgoing traffic
match out on $ext_if inet from $int_net nat-to $ext_me

# allow carp traffic
pass out quick on $int_if proto carp

# allow icmp
pass quick inet proto icmp
pass quick inet6 proto icmp6

# allow dhcpv6 to myself
pass in quick inet6 proto udp from any to $ext_me port dhcpv6-client

# antispoof at this point
antispoof for lo0
antispoof for vio0
antispoof for vio1

# admin connection (internal, fsol and arc office)
pass in quick on $int_if proto tcp from $int_net to self port ssh
pass in quick on $ext_if proto tcp from 37.35.86.64/29 to self port ssh
pass in quick on $ext_if proto tcp from 37.16.96.144/28 to self port ssh
pass in quick on $ext_if proto tcp from 81.175.155.142/32 to self port ssh

# allow dns queries from internal net
pass in quick on $int_if proto { tcp, udp } from $int_net to self port domain

# block rest of packets coming to me
block in quick from any to self

# allow communication from internal to world
pass in quick on $int_if from $int_net to !$int_net

# allow myself to communicate outside (both routes)
pass out quick on $ext_if from self to any
pass out quick on $int_if from self to any

# allow traffic from outside
pass out quick on $int_if from any to $int_net

# drop rest
block in quick log all
block out quick log all