#
# block all inbound packets.
#
block in from any to any
#
# pass through packets to and from localhost.
#
pass in from 127.0.0.1/32 to 127.0.0.1/32
#
# allow a variety of individual hosts to send any type of IP packet to any
# other host.
#
pass in from 10.1.3.1/32 to any
pass in from 10.1.3.2/32 to any
pass in from 10.1.3.3/32 to any
pass in from 10.1.3.4/32 to any
pass in from 10.1.3.5/32 to any
pass in from 10.1.0.13/32 to any
pass in from 10.1.1.1/32 to any
pass in from 10.1.2.1/32 to any
#
#
# block all outbound packets.
#
block out from any to any
#
# allow any packets destined for localhost out.
#
pass out from any to 127.0.0.1/32
#
# allow any host to send any IP packet out to a limited number of hosts.
#
pass out from any to 10.1.3.1/32
pass out from any to 10.1.3.2/32
pass out from any to 10.1.3.3/32
pass out from any to 10.1.3.4/32
pass out from any to 10.1.3.5/32
pass out from any to 10.1.0.13/32
pass out from any to 10.1.1.1/32
pass out from any to 10.1.2.1/32

#
# block all ICMP packets.
#
block in proto icmp from any to any

#
# test ruleset
#
# allow packets coming from foo (10.1.1.2) to bar (10.2.1.1)  through.
#
pass in from 10.1.1.2 to 10.2.1.1
#
# allow any TCP packets from the same subnet as foo is on through to host
# 10.1.1.2 if they are destined for port 6667.
#
pass in proto tcp from 10.2.2.2/24 to 10.1.1.2/32 port = 6667
#
# allow in UDP packets which are NOT from port 53 and are destined for
# localhost
#
pass in proto udp from 10.2.2.2 port != 53 to localhost
#
# block all ICMP unreachables.
#
block in proto icmp from any to any icmp-type unreach
#
# allow packets through which have a non-standard IP header length (ie there
# are IP options such as source-routing present).
#
pass in from any to any with ipopts

#
# block all TCP packets with only the SYN flag set (this is the first
# packet sent to establish a connection) out of the SYN-ACK pair.
#
block in proto tcp from any to any flags S/SA

# block all ICMP packets.
#
block in proto icmp all
#
# allow in ICMP echos and echo-replies.
#
pass in on le1 proto icmp from any to any icmp-type echo
pass in on le1 proto icmp from any to any icmp-type echorep
#
# block all ICMP destination unreachable packets which are port-unreachables
#
block in on le1 proto icmp from any to any icmp-type unreach code 3

#
# block all incoming TCP connections but send back a TCP-RST for ones to
# the ident port
#
block in proto tcp from any to any flags S/SA
block return-rst in quick proto tcp from any to any port = 113 flags S/SA
#
# block all inbound UDP packets and send back an ICMP error.
#
block return-icmp in proto udp from any to any

#
# drop all packets without IP security options
#
block in all
pass in all with opt sec
#
# only allow packets in and out on le0 which are top secret
#
block out on le1 all
pass out on le1 all with opt sec-class topsecret
block in on le1 all
pass in on le1 all with opt sec-class topsecret

#
# pass ack packets (ie established connection)
#
pass in proto tcp from 10.1.0.0/16 port = 23 to 10.2.0.0/16 flags A/A
pass out proto tcp from 10.1.0.0/16 port = 23 to 10.2.0.0/16 flags A/A
#
# block incoming connection requests to my internal network from the big bad
# internet.
#
block in on le0 proto tcp from any to 10.1.0.0/16 flags S/SA
#  to block the replies:
block out on le0 proto tcp from 10.1.0.0 to any flags SA/SA

# For this example, "foo" has an IP address of 10.2.2.2
#
# allow any TCP packets from the same subnet as foo is on through to host
# 10.1.1.2 if they are destined for port 6667.
#
pass in proto tcp from 10.2.2.2/24 to 10.1.1.2/32 port = 6667
#
# allow in UDP packets which are NOT from port 53 and are destined for
# localhost
#
pass in proto udp from 10.2.2.2 port != 53 to localhost
#
# block anything trying to get to X terminal ports, X:0 to X:9
#
block in proto tcp from any to any port 5999 >< 6010
#
# allow any connections to be made, except to BSD print/r-services
# this will also protect syslog.
#
block in proto tcp/udp all
pass in proto tcp/udp from any to any port 512 <> 515
#
# allow any connections to be made, except to BSD print/r-services
# this will also protect syslog.
#
pass in proto tcp/udp all
block in proto tcp/udp from any to any port 511 >< 516

#
# get rid of all short IP fragments (too small for valid comparison)
#
block in proto tcp all with short
#
# drop and log any IP packets with options set in them.
#
block in log all with ipopts
#
# log packets with BOTH ssrr and lsrr set
#
log in all with opt lsrr,ssrr
#
# drop any source routing options
#
block in quick all with opt lsrr
block in quick all with opt ssrr

#
# Log all short TCP packets to qe3, with 10.3.3.3 as the intended
# destination for the packet.
#
block in on qe0 to qe3:10.3.3.3 proto tcp all with short
#
# Log all connection attempts for TCP
#
pass in on le0 dup-to le1:10.3.3.3 proto tcp all flags S/SA
#
# Route all UDP packets through transparently.
#
pass in on ppp0 fastroute proto udp all
#
# Route all ICMP packets to network 10 out through le1, to 10.3.3.1
#
pass in on le0 to le1:10.3.3.1 proto icmp all

#
# log all inbound packet on le0 which has IP options present
#
log in on le0 from any to any with ipopts
#
# block any inbound packets on le0 which are fragmented and "too short" to
# do any meaningful comparison on.  This actually only applies to TCP
# packets which can be missing the flags/ports (depending on which part
# of the fragment you see).
#
block in log quick on le0 from any to any with short frag
#
# log all inbound TCP packets with the SYN flag (only) set
#  (NOTE: if it were an inbound TCP packet with the SYN flag set and it
#         had IP options present, this rule and the above would cause it
#         to be logged twice).
#
log in on le0 proto tcp from any to any flags S/SA
#
# block and log any inbound ICMP unreachables
#
block in log on le0 proto icmp from any to any icmp-type unreach
#
# block and log any inbound UDP packets on le0 which are going to port 2049
# (the NFS port).
#
block in log on le0 proto udp from any to any port = 2049
#
# quickly allow any packets to/from a particular pair of hosts
#
pass in quick from any to 10.1.3.2/32
pass in quick from any to 10.1.0.13/32
pass in quick from 10.1.3.2/32 to any
pass in quick from 10.1.0.13/32 to any
#
# block (and stop matching) any packet with IP options present.
#
block in quick on le0 from any to any with ipopts
#
# allow any packet through
#
pass in from any to any
#
# block any inbound UDP packets destined for these subnets.
#
block in on le0 proto udp from any to 10.1.3.0/24
block in on le0 proto udp from any to 10.1.1.0/24
block in on le0 proto udp from any to 10.1.2.0/24
#
# block any inbound TCP packets with only the SYN flag set that are
# destined for these subnets.
#
block in on le0 proto tcp from any to 10.1.3.0/24 flags S/SA
block in on le0 proto tcp from any to 10.1.2.0/24 flags S/SA
block in on le0 proto tcp from any to 10.1.1.0/24 flags S/SA
#
# block any inbound ICMP packets destined for these subnets.
#
block in on le0 proto icmp from any to 10.1.3.0/24
block in on le0 proto icmp from any to 10.1.1.0/24
block in on le0 proto icmp from any to 10.1.2.0/24

#
# For a network server, which has two interfaces, 128.1.40.1 (le0) and
# 128.1.2.1 (le1), we want to block all IP spoofing attacks.  le1 is
# connected to the majority of the network, whilst le0 is connected to a
# leaf subnet.  We're not concerned about filtering individual services
# or 
#
pass in quick on le0 from 128.1.40.0/24 to any
block in log quick on le0 from any to any
block in log quick on le1 from 128.1.1.0/24 to any
pass in quick on le1 from any to any

#
# Only allow TCP packets in/out of le0 if there is an outgoing connection setup
# somewhere, waiting for it.
#
pass out quick on le0 proto tcp from any to any flags S/SAFR keep state
block out on le0 proto tcp all
block in on le0 proto tcp all
#
# allow nameserver queries and replies to pass through, but no other UDP
#
pass out quick on le0 proto udp from any to any port = 53 keep state
block out on le0 proto udp all
block in on le0 proto udp all