# natd
add divert natd all from any to any via xl0
# localhost autorizzato
add allow ip from any to any via lo0
add deny ip from any to 127.0.0.0/8
# le connessioni di cui abbiamo mantenuto lo stato
# vengono fatte passare
add check-state
# RFC 1918
add drop all from 0.0.0.0/8 to any in recv xl0
add drop all from 10.0.0.0/8 to any in recv xl0
add drop all from 127.0.0.0/8 to any in recv xl0
add drop all from 169.254.0.0/16 to any in recv xl0 
add drop all from 172.16.0.0/12 to any in recv xl0
add drop all from 192.0.2.0/24 to any in recv xl0 
#
add drop all from 200.201.202.140 to any in recv xl0 
#
add drop all from 192.168.0.0/16 to any in recv xl0
add drop all from 204.152.64.0/23 to any in recv xl0 
add drop all from 240.0.0.0/4 to any in recv xl0
# Blocchi IANA e reti non utilizzate
add drop all from 1.0.0.0/8 to any
add drop all from 2.0.0.0/8 to any
add drop all from 5.0.0.0/8 to any
add drop all from 7.0.0.0/8 to any
add drop all from 23.0.0.0/8 to any
add drop all from 27.0.0.0/8 to any
add drop all from 31.0.0.0/8 to any
add drop all from 37.0.0.0/8 to any
add drop all from 39.0.0.0/8 to any
add drop all from 41.0.0.0/8 to any
add drop all from 42.0.0.0/8 to any
add drop all from 49.0.0.0/8 to any
add drop all from 50.0.0.0/8 to any
add drop all from 58.0.0.0/8 to any
add drop all from 59.0.0.0/8 to any
add drop all from 60.0.0.0/8 to any
#
# 65.*/8 - 79.*/8
add drop all from 70.0.0.0/8 to any
add drop all from 71.0.0.0/8 to any
add drop all from 72.0.0.0/8 to any
add drop all from 73.0.0.0/8 to any
add drop all from 74.0.0.0/8 to any
add drop all from 75.0.0.0/8 to any
add drop all from 76.0.0.0/8 to any
add drop all from 77.0.0.0/8 to any
add drop all from 78.0.0.0/8 to any
add drop all from 79.0.0.0/8 to any
#
# 80.*/8 - 95.*/8
add drop all from 83.0.0.0/8 to any
add drop all from 84.0.0.0/8 to any
add drop all from 85.0.0.0/8 to any
add drop all from 86.0.0.0/8 to any
add drop all from 87.0.0.0/8 to any
add drop all from 88.0.0.0/8 to any
add drop all from 89.0.0.0/8 to any
add drop all from 90.0.0.0/8 to any
add drop all from 91.0.0.0/8 to any
add drop all from 92.0.0.0/8 to any
add drop all from 93.0.0.0/8 to any
add drop all from 94.0.0.0/8 to any
add drop all from 95.0.0.0/8 to any
#
# 96.*/8 - 111.*/8
add drop all from 96.0.0.0/8 to any
add drop all from 97.0.0.0/8 to any
add drop all from 98.0.0.0/8 to any
add drop all from 99.0.0.0/8 to any
add drop all from 100.0.0.0/8 to any
add drop all from 101.0.0.0/8 to any
add drop all from 102.0.0.0/8 to any
add drop all from 103.0.0.0/8 to any
add drop all from 104.0.0.0/8 to any
add drop all from 105.0.0.0/8 to any
add drop all from 106.0.0.0/8 to any
add drop all from 107.0.0.0/8 to any
add drop all from 108.0.0.0/8 to any
add drop all from 109.0.0.0/8 to any
add drop all from 110.0.0.0/8 to any
add drop all from 111.0.0.0/8 to any
#
# 112.*/8 - 126.*/8
add drop all from 112.0.0.0/8 to any
add drop all from 113.0.0.0/8 to any
add drop all from 114.0.0.0/8 to any
add drop all from 115.0.0.0/8 to any
add drop all from 116.0.0.0/8 to any
add drop all from 117.0.0.0/8 to any
add drop all from 118.0.0.0/8 to any
add drop all from 119.0.0.0/8 to any
add drop all from 120.0.0.0/8 to any
add drop all from 121.0.0.0/8 to any
add drop all from 122.0.0.0/8 to any
add drop all from 123.0.0.0/8 to any
add drop all from 124.0.0.0/8 to any
add drop all from 125.0.0.0/8 to any
add drop all from 126.0.0.0/8 to any
#
# 220.*/8 - 223.*/8
add drop all from 223.0.0.0/8 to any
#
# scassaminchia e lamers di turno
add drop all from 213.42.37.6 to any
add drop all from 193.119.42.253 to any
# consenti a questo host di connettersi ovunque
add allow all from 201.202.203.144 to 201.202.203.144
add pass tcp from 201.202.203.144 to any out setup keep-state
add pass udp from 201.202.203.144 to any out keep-state
add pass ip from 201.202.203.144 to any out
add deny all from 200.201.203.144 to any
# Blocca routing illegale
add deny ip from any to any ipoptions rr
add deny ip from any to any ipoptions ts
add deny ip from any to any ipoptions lsrr
add deny ip from any to any ipoptions ssrr
# Blocca version os da scanports tipo Nmap
add deny tcp from any to any tcpflags syn,fin
add deny tcp from any to any tcpflags syn,rst
# Altre schifezze varie
add deny tcp from any 0 to any
add deny tcp from any to any 0
add deny udp from any 0 to any
add deny udp from any to any 0
# clausola di frag per la gestione dei frammenti IP
add allow all from any to any frag
add allow ip from any to any via xl1
add allow ip from 200.201.202.140 to any via xl0
# permette alla WAN di accedere ad alcuni servizi UDP
#add pass udp from any to 200.201.202.140 1024-65535 in
# (ICMP) troubleshooting di rete, gestione e controllo
# 0=Echo Replay
# 3=destination unrechable
# 8=Echo Request
# 11=TTL Execeeded
#add pass icmp from any to 200.201.202.140 icmptypes 0,3,8,11
# prima blocca gli ip poi lascia passare il resto
add deny ip from any to 127.0.0.1 in
add deny ip from any to 200.201.202.140 in
add deny ip from any to 192.168.0.254 in
add allow ip from any to any
# EOF -DjSpider8 06072003