On ajoute ça :

device pf
device pflog
device pfsync

On recompile :

make buildkernel KERNCONF=MONKERNEL
make installkernel KERNCONF=MONKERNEL

/etc/pf.conf :

  ext_if="re0"
  int_if="lo0"
 
  table <white_list> { XXX.XXX.XXX.XXX }
  table <bad_hosts> persist file "/etc/bad_hosts"
 
  scrub in all
 
  #Refuse tout le traffic entrant et log, autorise tout traffice sortant
  block in log (all) all
  pass out all
 
  set skip on lo0
 
  #Autoriser toutes les ip se trouvant dans "white_list"
  pass in quick on $ext_if from <white_list> to any
 
  #Autoriser les paquets icmp et icmp V6
  pass in quick proto icmp6 all
  pass in quick proto icmp all
 
  #Bloquer les ip dans "bad_hosts"
  block quick from <bad_hosts>
 
  #Autorise Http et SSH avec limite de tentative de connexion avant refus et inclusion dans la liste "bad_hosts"
  pass in on $ext_if proto tcp to ($ext_if) port http keep state (max-src-conn-rate 20/5, overload <bad_hosts> flush global)
  pass in on $ext_if proto tcp to ($ext_if) port ssh keep state (max-src-conn-rate 10/60, overload <bad_hosts> flush global)
 
  #Autorise les requetes DNS
  pass in on $ext_if proto tcp to ($ext_if) port domain
  pass in on $ext_if proto udp to ($ext_if) port domain
 
  #Autorise traceroute
  pass in on $ext_if proto udp to ($ext_if) port 33433 >< 33626 keep state