# https://cmcenroe.me/2016/06/04/freebsd-pf-fail2ban.html
# https://www.freebsd.org/doc/handbook/firewalls-pf.html
# http://ipdeny.com/ipblocks/
# https://www.openbsd.org/faq/pf/tables.html
# https://undeadly.org/cgi?action=article&sid=20140527054301

set skip on lo0

# allow all outbound traffic
pass out quick all
# create table us_zones from file containing all us IP's
# use wget -4 --no-proxy --no-cookies --no-cache http://ipdeny.com/ipblocks/data/countries/us.zone -O /etc/pf-files/us.zone
table <us_zones> persist file "/etc/pf-files/us.zone"


# create table tcp_services for the only services we need
tcp_services = "{ 22, 80 }"

# the local networks, just in case
table <local_network> { 10.10.10.0/24, 172.45.42.0/24, x.x.x.x/26 }

# create a table for fail2ban to use
table <fail2ban> persist

# allow anything from our local network
pass in quick from <local_network>

# block everything by default
block in all

# block anything loaded in fail2ban table immediately
block in quick from <fail2ban>

# allow icmp from anyplace EXCEPT fail2ban
pass in quick inet proto icmp all
pass in quick inet6 proto icmp6 all

# allow our tcp services from US Zones
pass in proto tcp from <us_zones> to any port $tcp_services