Pfa

remember this

ok so the configuration file is located at /etc/pf.conf
to load new changes you will use # pfctl -f /etc/pf.conf
using rc to do it does not work last time I checked :/

to enable packet filter run # pfctl -e
to disable packet filter run # pfctl -d

remember that the last rule applies so if you deny someone from connecting to a port but then allow it right after then the port will be allowed,
unless you use `quick` because that means apply now and stop reading

configuration

set skip on lo0 # this makes it so packet filter doesn't affect the loop back device

# :P marker #1

block in # makes it so by default nothing is allowed in
pass out # makes it so by default everything is allowed out

# now you want to allow some ports
# first you type `pass in quick proto`
# then you want to type either udp or tcp, if you're not sure then just allow both by saying `{udp tcp}`
# now you want to say who is allowed, this can either be a ip, table or "any" `from any`
# now define the ports `to port {`the ports separated by a space or use : to specify a range'}'

# here's a few examples
pass in quick proto {udp tcp} from any to port {53} # allow anyone to access the dns server
pass in quick proto tcp from any to port {6667:6669 6697:6699 9999} # allow anyone to access some common irc ports
# you can also use certain words but I don't know where you can find the list
pass in quick proto tcp from any to port {http https} # (80 443) allow anyone to access the http server
# now what about restricting ssh?
pass in quick proto tcp from 1.2.3.4 to port {22} # makes it so the ip 1.2.3.4 can access port 22

# cough cough cough
# now what about blocking some evil doers?
# this is bill bob
# _-_
# >:<
# \_/
# hes super evil and we know we wants to hack your server so he can boot people,
# but we don't want that because that can get us in trouble,
# we happen to have gathered a list of all his hacking servers.
# we create a folder in /etc called pf and in that folder (/etc/pf) we put in a text file called badhosts
# inside that file (/etc/pf/badhosts) we will put in all of bill bob's ips and also other ips of other evil doers like bill bob
# so now lets make it take affect
table <badhosts> persist file "/etc/pf/badhosts"
# now we have the table called <badhosts> loaded and can use <badhost> whenever we want to apply a rule to all those ips inside that table
block in quick from <badhosts> # this line basically says all the ips in the badhosts table, 's connections will be dropped now
# but remember that the last rule applies so it will only really affect rules below and prevent bill bob and other evil doers from connecting to ports below,
# so because of this you should load the table and add the block before placing all the passes,
# the best place to put it would be where marker #1 is
# keep in mind that changes to the table only take affect after a reload with the command # pfctl -f /etc/pf.conf

# now what about timmy?
# this is timmy's upper body... I'm not drawing his entire body again...
#  ._.
#  |_|
#  ; ;
#  \ \
# ...
# timmy is a super good boi, timmy is a helper,
# timmy will stop at nothing but to protect your server from evil doers like bill bob,
# but sometimes you make mistakes, we all do, even timmy,
# so sometimes it might be necessary to give timmy access to all ports but this is almost never necessary.
# just like above in the bill bob section we will create a table but this table will be called ilines instead of badhosts.
# so in /etc/pf/ilines you will put timmy's ip but of course only when necessary
table <ilines> persist file "/etc/pf/ilines"
# and then allow access to the ports
pass in quick from <ilines>
# you can put this above marker #1 or below it or just at the very bottom of the configuration file,
# but to make the least possible errors that can occur with a big bulky configuration file,
# it is advised (recommended) to put it above marker #1.

# You can make as meany tables as you want and make groups of whom may access what ports and who isn't allowed to.
# go nuts!