# don't filter on the loopback interface
set skip on lo

# scrub incoming packets
scrub in

# block spoofed packtes
antispoof quick for { lo vic0 }

# setup a default deny policy
block all

#enable services:
# ping
#pass in inet proto icmp icmp-type echoreq
# ssh
#pass in proto tcp to port ssh
# http(s)
#pass in proto tcp to port www
#pass in proto tcp to port https
# ftp
#pass in proto tcp to port ftp
#pass in proto tcp to port > 49151
#pass out proto tcp from port ftp-data