# our interface
ext_if = "em0"

# IPv6 link local prefix.
PFX_LNKLOC = "fe80::/10"

# IPv6 Solicited Node Multicast Prefix.
MC_SOLNOD = "ff02::1:ff00:0/104"

# IPv6 All Nodes Link Local Multicast Address.
MC_NODLNK = "ff02::1"

# skip loopback
set skip on lo0
set loginterface $ext_if
set block-policy drop

scrub in on $ext_if

## RULES ##

# block and log all traffic not matching below rules
block in

# allow ssh traffic to the host on the custom port
pass in quick proto tcp to port 2223

# allow http/https
pass in quick proto {tcp, udp} to port { http, https }

# allow ssh for gubbhub
pass in quick proto tcp to port 2224

# ping
pass in quick inet6 proto icmp6 icmp6-type echoreq
pass in quick inet proto icmp icmp-type echoreq

# ipv6 stuff

# Allow NS from unspecified to solicited node multicast address (DAD).
pass quick inet6 proto icmp6 from :: to $MC_SOLNOD icmp6-type neighbrsol no state

# Allow IPv6 Router Discovery.
pass in quick inet6 proto icmp6 from $PFX_LNKLOC to $MC_NODLNK icmp6-type routeradv no state

# Allow IPv6 Neighbor Discovery (ND/NUD/DAD).
pass in quick inet6 proto icmp6 to { ($ext_if), $MC_SOLNOD } icmp6-type { neighbrsol, neighbradv } no state

# Allow any outgoing traffic
pass out

# TODO: We seem to not only get neighbor advertisements from the local subnet? How does
# this work?
#pass in quick inet6 proto icmp6 from { $PFX_LNKLOC, ($ext_if:network) } to { ($ext_if), $MC_SOLNOD } icmp6-type neighbrsol no state
#pass in quick inet6 proto icmp6 from { $PFX_LNKLOC, ($ext_if:network) } to { ($ext_if), $MC_NODLNK } icmp6-type neighbradv no state