ext_if="em0" #we define the external network card facing the internet
int_if="nfe0" #we define the internal network card facing your internal network

tcp_services="{22}" # a few macros to make life easier later on. port 22 is the only port under the tcp_services macro, that can be called later. add ports you need to pass traffic in on #
icmp_types="echoreq" # define what kind of pings we allow. we'll call this macro later too

set block-policy return  # default action for stuff hitting the block rules
set loginterface $ext_if # we want to log the external interface for suspicious activity
 
set skip on lo # we skip the local interface, since no traffic from the outside world can go through this interface

match in all scrub (no-df) #default scrubbing of all incoming traffic

nat on $ext_if from !($ext_if) -> ($ext_if:0) #important. here we set the nat. any traffic from the internal to the external is natted. 

block in #default block rule. always start with this rule, blocking everything we don't specifically allow with other rules

pass out keep state # if you don't want to filter outgoing traffic, use this to make life easy. pass everything outgoing without inspection

antispoof quick for { lo $int_if } #use the default antispoofing rules for the local and internal interface

pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services flags S/SA keep state #what we want to explicitly pass inwards, in this case anything inside the tcp_Services macro defined earlier 

pass in inet proto icmp all icmp-type $icmp_types keep state # same thing here. allow the ping types defined in the icmp_types macro defined earlier

pass in quick on $int_if #anything moving on the internal interface we want to pass quickly

block in on ! lo0 proto tcp to port 6000:6010 # if you are running x11, this prevents unauthorized connections from any non-local source to your x-server.