4 log in on le0 from any to any with ipopts
6 # block any inbound packets on le0 which are fragmented and "too short" to
7 # do any meaningful comparison on.  This actually only applies to TCP
11 block in log quick on le0 from any to any with short frag
18 log in on le0 proto tcp from any to any flags S/SA
20 # block and log any inbound ICMP unreachables
22 block in log on le0 proto icmp from any to any icmp-type unreach
24 # block and log any inbound UDP packets on le0 which are going to port 2049
27 block in log on le0 proto udp from any to any port = 2049
29 # quickly allow any packets to/from a particular pair of hosts
31 pass in quick from any to 10.1.3.2/32
32 pass in quick from any to 10.1.0.13/32
33 pass in quick from 10.1.3.2/32 to any
34 pass in quick from 10.1.0.13/32 to any
36 # block (and stop matching) any packet with IP options present.
38 block in quick on le0 from any to any with ipopts
40 # allow any packet through
42 pass in from any to any
44 # block any inbound UDP packets destined for these subnets.
46 block in on le0 proto udp from any to 10.1.3.0/24
47 block in on le0 proto udp from any to 10.1.1.0/24
48 block in on le0 proto udp from any to 10.1.2.0/24
50 # block any inbound TCP packets with only the SYN flag set that are
53 block in on le0 proto tcp from any to 10.1.3.0/24 flags S/SA
54 block in on le0 proto tcp from any to 10.1.2.0/24 flags S/SA
55 block in on le0 proto tcp from any to 10.1.1.0/24 flags S/SA
57 # block any inbound ICMP packets destined for these subnets.
59 block in on le0 proto icmp from any to 10.1.3.0/24
60 block in on le0 proto icmp from any to 10.1.1.0/24
61 block in on le0 proto icmp from any to 10.1.2.0/24

Indexes created Wed Jun 26 11:41:58 MDT 2024