# Interface reseau externe (ex: ue0)
ext_if = "ue0"

# IP du jail
jail_ip = "192.168.x.x"

# Adresse IPv6 du jail
jail_ipv6 = "xxxx:xxxx:xxxx:xxxx::xxxx"

# Reseaux autorises pour SSH
trusted_nets = "{ 192.168.x.x/24 }"

#Bloquer tout par default
block all

# Autoriser le trafic vers le jail (HTTP/HTTPS)
pass in quick on $ext_if proto tcp from any to $jail_ip port { 80, 443 } keep state
pass in quick on $ext_if inet6 proto tcp from any to $jail_ipv6 port { 80, 443 } keep state

# Autoriser SSHD seulement depuis les reseaux de confiance
pass in quick on $ext_if proto tcp from $trusted_nets to self port 22 keep state

# Autoriser le ping IPv4 (ICMP)
pass in quick on $ext_if inet proto icmp from any to any icmp-type echoreq keep state

# Autoriser le ping IPv6 (ICMPv6)
pass in quick on $ext_if inet6 proto icmp6 from any to any keep state

# Autoriser Internet pour IPv4
pass out on $ext_if inet proto { tcp, udp, icmp } from any to any keep state

# Autoriser Internet pour IPv6
pass out on $ext_if inet6 proto { tcp, udp, icmp6 } from any to any keep state