122514Sdarrenr# 222514Sdarrenr# log all inbound packet on le0 which has IP options present 322514Sdarrenr# 422514Sdarrenrlog in on le0 from any to any with ipopts 522514Sdarrenr# 622514Sdarrenr# block any inbound packets on le0 which are fragmented and "too short" to 722514Sdarrenr# do any meaningful comparison on. This actually only applies to TCP 822514Sdarrenr# packets which can be missing the flags/ports (depending on which part 922514Sdarrenr# of the fragment you see). 1022514Sdarrenr# 1122514Sdarrenrblock in log quick on le0 from any to any with short frag 1222514Sdarrenr# 1322514Sdarrenr# log all inbound TCP packets with the SYN flag (only) set 1422514Sdarrenr# (NOTE: if it were an inbound TCP packet with the SYN flag set and it 1522514Sdarrenr# had IP options present, this rule and the above would cause it 1622514Sdarrenr# to be logged twice). 1722514Sdarrenr# 1822514Sdarrenrlog in on le0 proto tcp from any to any flags S/SA 1922514Sdarrenr# 2022514Sdarrenr# block and log any inbound ICMP unreachables 2122514Sdarrenr# 2222514Sdarrenrblock in log on le0 proto icmp from any to any icmp-type unreach 2322514Sdarrenr# 2422514Sdarrenr# block and log any inbound UDP packets on le0 which are going to port 2049 2522514Sdarrenr# (the NFS port). 2622514Sdarrenr# 2722514Sdarrenrblock in log on le0 proto udp from any to any port = 2049 2822514Sdarrenr# 2922514Sdarrenr# quickly allow any packets to/from a particular pair of hosts 3022514Sdarrenr# 3122514Sdarrenrpass in quick from any to 10.1.3.2/32 3222514Sdarrenrpass in quick from any to 10.1.0.13/32 3322514Sdarrenrpass in quick from 10.1.3.2/32 to any 3422514Sdarrenrpass in quick from 10.1.0.13/32 to any 3522514Sdarrenr# 3622514Sdarrenr# block (and stop matching) any packet with IP options present. 3722514Sdarrenr# 3822514Sdarrenrblock in quick on le0 from any to any with ipopts 3922514Sdarrenr# 4022514Sdarrenr# allow any packet through 4122514Sdarrenr# 4222514Sdarrenrpass in from any to any 4322514Sdarrenr# 4422514Sdarrenr# block any inbound UDP packets destined for these subnets. 4522514Sdarrenr# 4622514Sdarrenrblock in on le0 proto udp from any to 10.1.3.0/24 4722514Sdarrenrblock in on le0 proto udp from any to 10.1.1.0/24 4822514Sdarrenrblock in on le0 proto udp from any to 10.1.2.0/24 4922514Sdarrenr# 5022514Sdarrenr# block any inbound TCP packets with only the SYN flag set that are 5122514Sdarrenr# destined for these subnets. 5222514Sdarrenr# 5322514Sdarrenrblock in on le0 proto tcp from any to 10.1.3.0/24 flags S/SA 5422514Sdarrenrblock in on le0 proto tcp from any to 10.1.2.0/24 flags S/SA 5522514Sdarrenrblock in on le0 proto tcp from any to 10.1.1.0/24 flags S/SA 5622514Sdarrenr# 5722514Sdarrenr# block any inbound ICMP packets destined for these subnets. 5822514Sdarrenr# 5922514Sdarrenrblock in on le0 proto icmp from any to 10.1.3.0/24 6022514Sdarrenrblock in on le0 proto icmp from any to 10.1.1.0/24 6122514Sdarrenrblock in on le0 proto icmp from any to 10.1.2.0/24 62