#define interfaces
#ext_if="em0"

#normalize packets
scrub in all

#skip rule for loopback interface
set skip on lo0

#prevent spoofing for all interfaces
antispoof quick for all

#allow traffic on loopback
pass quick on lo0 all

#add the pf tables
table <pf-pass> persist file "/etc/pf-pass.conf"
table <pf-block> persist file "/etc/pf-block.conf"
table <sip-auth-ip> persist file "/etc/pf-block-sip-auth-ip.conf"
table <sip-auth-fail> persist file "/etc/pf-block-sip-auth-fail.conf"

#allow outbound traffic
pass out quick all

#pass allowed addresses
pass in quick from <pf-pass> to any keep state

#block traffic from blocked addresses
block in quick from <pf-block>
block in quick from <sip-auth-ip>
block in quick from <sip-auth-fail>

#allow ICMP
pass in quick inet proto icmp all
pass in quick inet6 proto icmp6 all

#allow additional ports
pass in quick inet proto tcp from any to any port 22 keep state
pass in quick inet proto tcp from any to any port 80 keep state
pass in quick inet proto tcp from any to any port 443 keep state
pass in quick inet proto tcp from any to any port 7443 keep state
pass in quick inet proto tcp from any to any port 5060:5091 keep state
pass in quick inet proto udp from any to any port 5060:5091 keep state
pass in quick inet proto udp from any to any port 16384:32768 keep state

#default block rule
block in all