ext_if = "egress"
table <bruteforce> persist
table <spamd-white> persist
table <nospamd> persist file "/etc/mail/nospamd"

set skip on lo
set block-policy return
set loginterface $ext_if
match in all scrub (no-df random-id max-mss 1440)

antispoof quick for $ext_if
block return in on $ext_if all
block in quick from <bruteforce>

pass in on $ext_if inet proto tcp from any to any port smtp \
    divert-to 127.0.0.1 port spamd
pass in on $ext_if proto tcp from <nospamd> to any port smtp
pass in log on $ext_if proto tcp from <spamd-white> to any port smtp
pass out log on $ext_if proto tcp to any port smtp

pass in quick on $ext_if proto tcp to any port { 22, 53, 587, 993 } \
    keep state (max-src-conn 50, max-src-conn-rate 10/30, tcp.established 600, overload <bruteforce> flush global)
pass in quick on $ext_if proto tcp to any port { 80, 443, 7777 } \
    keep state (max-src-conn 100, max-src-conn-rate 50/10, tcp.established 600, overload <bruteforce> flush global)

pass in quick on $ext_if proto udp to any port { 53 } \
    keep state (max-src-conn 50, max-src-conn-rate 10/30, overload <bruteforce> flush global)

pass in quick on $ext_if inet proto icmp all
pass in quick on $ext_if inet6 proto icmp6 all

anchor "relayd/*"
pass out quick on $ext_if all