###########################
# begin ruleset
###########################
# loopback rules
pass out quick on lo0
pass in quick on lo0

# drop itsy bitsy frags
block in quick on ae0 proto tcp all with short

# drop source routed packets
block in quick on ae0 all with opt lsrr
block in quick on ae0 all with opt ssrr

# drop NMAP scans
block in log quick on ae0 proto tcp from any to any flags FUP

# don't allow anyone to spoof non-routeable addresses
block in quick on ae0 from 127.0.0.0/8 to any
block in quick on ae0 from 172.16.0.0/12 to any
block in quick on ae0 from 10.0.0.0/8 to any
block out quick on ae0 from any to 127.0.0.1/8
block out quick on ae0 from any to 172.16.0.0/12
block out quick on ae0 from any to 10.0.0.0/8

# only allow our machines to connect via ssh
pass in quick on ae0 from any to any port = 22

# allow others to use http and https
pass in quick on ae0 proto tcp from any to any port = 80 flags S/SA

# and let out-going traffic out and maintain state on established connections
pass out on ae0 proto tcp from any to any keep state
pass out on ae0 proto udp from any to any keep state
pass out on ae0 proto icmp from any to any keep state

# add support for traceroute
pass in quick on ae0 proto icmp from any to any icmp-type 11
pass in quick on ae0 proto icmp from any to any icmp-type 3

# finally lock the rest down with a default deny
block in quick on ae0 from any to any

#############################
# end ruleset
#############################