On ajoute ça :

device pf
device pflog
device pfsync

On recompile :

make buildkernel KERNCONF=MONKERNEL
make installkernel KERNCONF=MONKERNEL

Exemple de fichier de configuration /etc/pf.conf :

ext_if="re0"
int_if="lo0"

table <white_list> { XXX.XXX.XXX.XXX }
table <bad_hosts> persist file "/etc/bad_hosts"

scrub in all

#Refuse tout le traffic entrant et log, autorise tout traffice sortant
block in log (all) all
pass out all

set skip on lo0

#Autoriser toutes les ip se trouvant dans "white_list"
pass in quick on $ext_if from <white_list> to any

#Autoriser les paquets icmp et icmp V6
pass in quick proto icmp6 all
pass in quick proto icmp all

#Bloquer les ip dans "bad_hosts"
block quick from <bad_hosts>

#Autorise Http et SSH avec limite de tentative de connexion avant refus et inclusion dans la liste "bad_hosts"
pass in on $ext_if proto tcp to ($ext_if) port http keep state (max-src-conn-rate 20/5, overload <bad_hosts> flush global)
pass in on $ext_if proto tcp to ($ext_if) port ssh keep state (max-src-conn-rate 10/60, overload <bad_hosts> flush global)

#Autorise les requetes DNS
pass in on $ext_if proto tcp to ($ext_if) port domain
pass in on $ext_if proto udp to ($ext_if) port domain

#Autorise traceroute
pass in on $ext_if proto udp to ($ext_if) port 33433 >< 33626 keep state