# short packets which are packets fragmented too short to be real.
block in log quick all with short

# allow loopback
pass in  quick on lo0 all
pass out quick on lo0 all

# allow outgoing
pass out   quick     proto tcp   all flags S keep state
pass out   quick     proto udp   all         keep state

# just in case it goes horribly wrong...
pass in quick from 148.88.18.69/32 to any keep state
pass in quick from 148.88.8.4/32   to any keep state
pass in quick from 148.88.8.7/32   to any keep state

# block incoming by default
block in log first proto tcp   all  keep state
block in           proto udp   all
block in           proto icmp  all

# just drop this traffic
# 'serverless DHCP'
block in quick from 169.254.0.0/16 to any
# drop class D (multicast) and class E (unused?)
block in quick from 224.0.0.0/3 to any
block in quick from any to 224.0.0.0/3

# enable this to allow incoming FTP connections (ie FTP server here)
#pass in quick proto tcp from any to any port = 21 flags S keep state
# Passive connections need this (assuming 15000-20000 is used for PASV FTP)
#pass in quick proto tcp from any to any port 15000 >< 20000 flags S keep state

# allow outgoing DNS
pass out quick from any to any port = 53 keep state

# allow SSH from local nets
pass in quick proto tcp from 148.88.0.0/16 to any port = 22 flags S keep state
pass in quick proto tcp from 194.80.32.0/21 to any port = 22 flags S keep state
pass in quick proto tcp from 10.0.0.0/8 to any port = 22 flags S keep state

# allow ICMP from local nets
pass in quick proto icmp from 148.88.0.0/16 to any keep state
pass in quick proto icmp from 194.80.32.0/21 to any keep state
#pass in quick proto icmp from 10.0.0.0/8 to any keep state

# return RST packets for invalid SYN packets to help the other end close
block return-rst in log proto tcp all flags S/SA