# EMC firewal configuration
# Start with all interfaces and addresses

$upstream_if		= "wm0"
$upstream_ip		= { 173.198.243.126 }
$upstream_lan		= { 173.198.243.124/30 }

table <blocklist> type lpm file "/etc/npf_blocklist"

$services_tcp = { ssh, smtp, domain, http, https, submissions, submission, 655, 656, 7700 }
$services_udp = { domain, ntp }
alg "icmp"
set bpf.jit off

procedure "log" {
	log: npflog0
}

group "external" on $upstream_if {
	ruleset "blocklistd"
	pass stateful out final all
	block in final from <blocklist>
	pass stateful in final family inet4 proto tcp to $upstream_ip port ssh apply "log"
	pass stateful in final proto tcp to $upstream_ip port $services_tcp
	pass stateful in final proto udp to $upstream_ip port $services_udp
	pass stateful in final proto tcp to $upstream_ip port 49151-65535    # Passive FTP
	pass stateful in final proto udp to $upstream_ip port 33434-33600    # Traceroute
#	block final all apply "log"
}

group default {
	pass final on lo0 all
	pass in final all
	pass out final all
}