#	$OpenBSD: pf.conf,v 1.55 2017/12/03 20:40:04 sthen Exp $
#
# See pf.conf(5) and /etc/examples/pf.conf

set skip on lo
set skip on lo1

block return	# block stateless traffic
pass		# establish keep-state

# By default, do not permit remote connections to X11
#block return in on ! lo0 proto tcp to port 6000:6010

# Port build user does not need network
block return out log proto {tcp udp} user _pbuild

# VM networking.
bridge = "vether0"
match out on egress from $bridge:network to any nat-to (egress)

# play difficult
block on egress all

# enable torrent
pass out quick on egress proto tcp to any user _transmission
pass in quick on egress proto tcp from any user _transmission
pass quick on egress proto udp from any user _transmission
pass quick on egress proto tcp from any user _transmission

# enable openvpn
pass quick on egress proto udp user _openvpn

tcp_services = "{ssh, smtp, domain, www, pop3, auth, http, https, pop3s, irc, openvpn, git, imaps, imap, smtps, vnc}"
# These services are not marked in /etc/services
dict = "2628"
# http without binding to port 80
althttp = "8080"

pass proto tcp to port $tcp_services
# Port 587 used by disroot.
pass proto tcp to port 587
pass proto tcp to port $dict
pass proto tcp to port $althttp

pass proto tcp to port nfs
pass proto udp to port nfs

# DMS for Roku.
dms="1900"
dms_http="1338"
pass proto tcp to port $dms
pass proto udp to port $dms
pass proto tcp to port $dms_http
pass proto udp to port $dms_http
dms_roku="35888"
pass proto udp to port $dms_roku

# Traceroute
trace="33434"
pass proto udp to port $trace

# Enable LPR printing.
lpr="515"
pass proto tcp to port $lpr

# Enable SANE.
pass proto tcp to port sane-port
pass proto udp to port sane-port

# Enable BJNP.
bjnp_print="8612"
bjnp_scan="8613"
pass proto tcp to port $bjnp_print
pass proto udp to port $bjnp_print
pass proto tcp to port $bjnp_scan
pass proto udp to port $bjnp_scan

# Enable IRC.
irc="6667"
pass proto tcp to port $irc

udp_services = "{domain, openvpn}"
pass out proto udp to port $udp_services

# Broken DAC. Allow incoming traffic on port 12345 for it.
dac="12345"
pass proto tcp to port $dac

# Remote sndio connection. See https://www.openbsd.org/faq/faq13.html
# Prioritize. See pf.conf(5)
sndio=11025
pass proto tcp to port $sndio set prio 4
# https://man.openbsd.org/pf.conf#QUEUEING

# Xonotic
xonotic = "26000"
pass out proto tcp to port $xonotic
pass out proto udp to port $xonotic
pass in proto tcp to port $xonotic
pass in proto udp to port $xonotic

# drawterm
pass proto tcp to port {17010,17013,17019,17020,567}
# see drawterm/kern/devip.c
# see https://plan9.io/wiki/plan9/drawterm/index.html
# I like ICMP ping.
pass proto icmp from any to any