#
# My IP address = 10.2.3.51/24
# DNS server = 10.2.3.40, 10.2.3.42
# NTP upstream server = 10.1.1.123
#

#
# rules for test use
#
#pass in quick all
#pass out quick all

#
# log packets which have IP options.
#
block in log quick on iprb0 from any to any with ipopts frag
block in log quick on iprb0 proto tcp from any to any with short

#
# IP Spoofing rule
#
block in quick from 127.0.0.0/8 to any
block in quick from 10.2.3.51 to any

#
# deny local addresses.
#
#block in quick from 10.0.0.0/8 to any
block in quick from 172.16.0.0/12 to any
block in quick from 192.168.0.0/16 to any
block in quick from 0.0.0.0/8 to any
block in quick from 169.254.0.0/16 to any
block in quick from 192.0.2.0/24 to any
block in quick from 224.0.0.0/4 to any
block in quick from 240.0.0.0/4 to any

#
# packets on loopback device (but it seems that Solaris wouldn't use lo0...)
#
#pass in quick on lo0 all

#
# allow incoming HTTP
#
pass in quick on iprb0 proto tcp from any port > 1023 to 10.2.3.51 port = 80 flags S/SA keep state

#
# allow outgoing DNS query
#
pass out quick on iprb0 proto udp from 10.2.3.51 to 10.2.3.40 port = 53 keep state
pass out quick on iprb0 proto udp from 10.2.3.51 to 10.2.3.42 port = 53 keep state

#
# allow NTP packets
#
pass out quick on iprb0 proto udp from 10.2.3.51 port 123 to 10.1.1.123 port = 123 keep state
pass in quick on iprb0 proto udp from 10.2.3.0/24 to 10.2.3.51 port = 123 keep state

#
# cleanup rule
#
block out log quick all
block in log quick all