## Block Everything inbound
block in log all

## allow outbound and return traffic
pass out quick proto tcp from any to any flags S keep state keep frags
pass out quick proto udp from any to any keep state keep frags

## ICMP
pass in quick proto icmp from any to any
pass out quick proto icmp from any to any

##
## Allow localhost traffic
##
pass in quick on lo0 proto tcp from 127.0.0.1/32 to 127.0.0.1/32

## Allow ssh from mangement host (typically not needed on a desktop)
pass in quick proto tcp from 1.2.3.4/32 to any port = 22 flags S keep state keep frags