1*bc4097aaSchristos# 2*bc4097aaSchristos# Only allow TCP packets in/out of le0 if there is an outgoing connection setup 3*bc4097aaSchristos# somewhere, waiting for it. 4*bc4097aaSchristos# 5*bc4097aaSchristospass out quick on le0 proto tcp from any to any flags S/SAFR keep state 6*bc4097aaSchristosblock out on le0 proto tcp all 7*bc4097aaSchristosblock in on le0 proto tcp all 8*bc4097aaSchristos# 9*bc4097aaSchristos# allow nameserver queries and replies to pass through, but no other UDP 10*bc4097aaSchristos# 11*bc4097aaSchristospass out quick on le0 proto udp from any to any port = 53 keep state 12*bc4097aaSchristosblock out on le0 proto udp all 13*bc4097aaSchristosblock in on le0 proto udp all 14