# Allow the loopback device to bypass the rules since it is localhost.
pass in quick on lo0 all
pass out quick on lo0 all

# Block nmap OS fingerprinting attempts 
block in log quick on tun0 proto tcp all flags FUP

# block any abnormal packets
block in log quick proto tcp from any to any with short
block in log quick all with ipopts
block in log quick all with opt lsrr
block in log quick all with opt ssrr

# block rfc1918 stuff at the border
block in log on tun0 from 192.168.0.0/16 to any
block in log on tun0 from 172.16.0.0/12 to any
block in log on tun0 from 10.0.0.0/8 to any
block in log on tun0 from 127.0.0.0/8 to any

block out log on tun0 from any to 192.168.0.0/16
block out log on tun0 from any to 172.16.0.0/12
block out log on tun0 from any to 10.0.0.0/8
block out log on tun0 from any to 127.0.0.0/8

# allow the inside to talk out
pass  in quick on fxp1 proto tcp  from 192.168.1.0/24 to any flags S keep state
pass  in quick on fxp1 proto udp  from 192.168.1.0/24 to any keep state
pass  in quick on fxp1 proto icmp from 192.168.1.0/24 to any keep state

pass  in quick on fxp2 proto tcp  from 192.168.2.0/24 to any flags S keep state
pass  in quick on fxp2 proto udp  from 192.168.2.0/24 to any keep state
pass  in quick on fxp2 proto icmp from 192.168.2.0/24 to any keep state

# allow us to talk to the private net
pass out quick on fxp1 proto tcp  from any to any flags S keep state
pass out quick on fxp1 proto udp  from any to any keep state
pass out quick on fxp1 proto icmp from any to any keep state

pass out quick on fxp2 proto tcp  from any to any flags S keep state
pass out quick on fxp2 proto udp  from any to any keep state
pass out quick on fxp2 proto icmp from any to any keep state

# allow ourselves to talk out to the world too
pass out quick on tun0 proto tcp  from any to any flags S keep state
pass out quick on tun0 proto udp  from any to any keep state
pass out quick on tun0 proto icmp from any to any keep state

# ident drop but dont log
block in quick on tun0 proto tcp from any to any port = 113
# kazaa drop but dont log
block in quick on tun0 proto tcp from any to any port = 1214
# gnutella drop but dont log
block in quick on tun0 proto tcp from any to any port = 6346
# napster drop but dont log
block in quick on tun0 proto tcp from any to any port = 6699
# realmedia drop but dont log
block in quick on tun0 proto tcp from any to any port = 6970

# allow in our port forwards
pass in quick on tun0 proto tcp from any to 192.168.1.2 port = 20 flags S keep state
pass in quick on tun0 proto tcp from any to 192.168.1.2 port = 21 flags S keep state
pass in quick on tun0 proto tcp from any to 192.168.1.2 port = 25 flags S keep state
pass in quick on tun0 proto tcp from any to 192.168.2.2 port = 80 flags S keep state
pass in quick on tun0 proto tcp from any to 192.168.1.2 port = 6881 flags S keep state
pass in quick on tun0 proto tcp from any to 192.168.1.2 port = 6882 flags S keep state
pass in quick on tun0 proto tcp from any to 192.168.1.2 port = 6883 flags S keep state

pass in quick on tun0 proto tcp from any to 192.168.2.2 port = 22 flags S keep state
pass in quick on tun0 proto tcp from any to 192.168.1.2 port = 22 flags S keep state

# default deny
block in log quick all
block out log quick all