set limit { frags 5000, states 10000 }
set timeout interval 10
set timeout frag 30
set optimization normal

#
# Scrub rules
#
scrub in all fragment reassemble 

# 
# Rule  0(NAT)
# 
# 
nat on eth1 proto {tcp udp icmp} from 10.1.1.0/24 to any -> 192.0.2.1 
# 
# Rule  0(eth1)
# Anti-spoofing rule
# 
block in   log  quick on eth1 inet  from { 192.0.2.1 , 10.1.1.1 }  to any  label "RULE 0 -- DROP "  
block in   log  quick on eth1 inet  from 10.1.1.0/24  to any  label "RULE 0 -- DROP "  
# 
# Rule  0(lo)
# allow everything on loopback
# 
pass in   quick on lo inet  from any  to any  label "RULE 0 -- ACCEPT "  
pass out  quick on lo inet  from any  to any  label "RULE 0 -- ACCEPT "  
# 
# Rule  0(global)
# ssh access to firewall
# 
pass in   quick inet proto tcp  from 10.1.1.0/24  to { 192.0.2.1 , 10.1.1.1 } port 22 keep state  label "RULE 0 -- ACCEPT "  
# 
# Rule  1(global)
# firewall uses DNS server on LAN
# 
pass out  quick inet proto tcp  from { 192.0.2.1 , 10.1.1.1 }  to 10.1.1.0/24 port 53 keep state  label "RULE 1 -- ACCEPT "  
pass out  quick inet proto udp  from { 192.0.2.1 , 10.1.1.1 }  to 10.1.1.0/24 port 53 keep state  label "RULE 1 -- ACCEPT "  
# 
# Rule  2(global)
# 'masquerading' rule
# 
pass in   quick inet  from 10.1.1.0/24  to any keep state  label "RULE 2 -- ACCEPT "  
pass out  quick inet  from 10.1.1.0/24  to any keep state  label "RULE 2 -- ACCEPT "  
# 
# Rule  3(global)
# 'catch all' rule
# 
block in   log  quick inet  from any  to any  label "RULE 3 -- DROP "  
block out  log  quick inet  from any  to any  label "RULE 3 -- DROP "  
# 
# Rule  fallback rule
#    fallback rule 
# 
block in   quick inet  from any  to any  label "RULE 10000 -- DROP "  
block out  quick inet  from any  to any  label "RULE 10000 -- DROP "