MASSIVE improvement of PF rules

pf.conf

@@ -21,8 +21,6 @@ nat on wlan0 from $vm_if:network to any -> (wlan0)
 nat on ue0 from $vm_if:network to any -> (ue0)
 
 # filter
-## allow any outgoing traffic
-pass out on pf_strict from any to any
 ## allow ICMP pings
 pass in on $pf_strict inet proto icmp all icmp-type $icmp_types
 # services (ssh, nfs, smb)
@@ -34,13 +32,11 @@ udp_services = "{ nfsd rpcbind 711 957 22000 }"
 ## DHCP
 pass in quick on $pf_strict inet proto tcp from any port 67:68 to any port { 67 68 } keep state flags S/SA
 pass in quick on $pf_strict inet proto udp from any port 67:68 to any port { 67 68 } keep state
-## services
-# if port is our service, and its coming from goonlan - allow
-pass in quick on $pf_strict inet proto tcp from <goonlan> to any port $tcp_services keep state
-pass in quick on $pf_strict inet proto udp from <goonlan> to any port $udp_services keep state
-
-# if previous rule didn't matched, that implies packet coming
-# not from goonlan, therefore block
-block in log on $pf_strict inet proto tcp from any to any port $tcp_services
-block in log on $pf_strict inet proto udp from any to any port $udp_services
 
+# Mark incoming traffic as blocked
+block in log on $pf_strict all
+# Allow services from certain subnets
+pass in on $pf_strict inet proto tcp from <goonlan> to any port $tcp_services
+pass in on $pf_strict inet proto udp from <goonlan> to any port $udp_services
+# Allow outgoing traffic
+pass out on $pf_strict all

smb4.conf

@@ -5,6 +5,8 @@
   bind interfaces only = yes
   interfaces = lo vnat0
   map to guest = bad user
+  min protocol = SMB2
+  ea support = yes
 
 [vm-shared]
   path = /home/mykola/vm-shared