pf.conf

# options
set optimization normal
set block-policy return
set fingerprints "/etc/pf.os"
# definitions
pf_strict = "{ re0 wlan0 ue0 }"
ext_ifs = "{ re0 wlan0 ue0 }"

vm_if = "vnat0"
vm_net = "10.0.0.0/24"

table <goonlan> const { 192.168.100.0/24, 192.168.184.0/24, 192.168.55.0/24 }
goonlan_broadcast = "192.168.100.255"
icmp_types = "{ 0, 3, 4, 8, 11, 12 }"
# base rules
set skip on lo0

# translation
## VM networking
nat on re0 from $vm_if:network to any -> (re0)
nat on wlan0 from $vm_if:network to any -> (wlan0)
nat on ue0 from $vm_if:network to any -> (ue0)

# filter
## allow ICMP pings
pass in on $pf_strict inet proto icmp all icmp-type $icmp_types
# services (ssh, nfs, smb)
tcp_services = "{ ssh nfsd rpcbind 711 957 22000 21027 }"
udp_services = "{ nfsd rpcbind 711 957 22000 }"

syncthing_tcp = "{ 22000 8384 }"
syncthing_udp = "{ 19917 22000 21027 }"

vnc_tcp = "{ 5969 5970 }"
# rules
## allow all incoming traffic, since they could be a response to outgoing connection
## but block our service ports, and then allow it only for goonlab
## DHCP
pass in quick on $pf_strict inet proto tcp from any port 67:68 to any port { 67 68 } keep state flags S/SA
pass in quick on $pf_strict inet proto udp from any port 67:68 to any port { 67 68 } keep state

# Mark incoming traffic as blocked
block in log on $pf_strict all
# Allow services from certain subnets
pass in on $pf_strict inet proto tcp from <goonlan> to any port $tcp_services
pass in on $pf_strict inet proto udp from <goonlan> to any port $udp_services

pass in on $pf_strict inet proto tcp from $goonlan_broadcast to any port $syncthing_tcp
pass in on $pf_strict inet proto udp from $goonlan_broadcast to any port $syncthing_udp

pass in on $pf_strict inet proto tcp from <goonlan> to any port $vnc_tcp
# Allow outgoing traffic
pass out on $pf_strict all

# TAILSCALE
block in log on tailscale0 all

pass in on tailscale0 inet proto tcp from any to any port 1337

pass out on tailscale0 all