# The name of our network interface as seen in `ifconfig`
    ext_if="re0"

    # Macros to define the set of TCP and UDP ports to open.
    # Add additional ports or ranges separated by commas.
    # UDP 60000-60010 is mosh control http://mosh.mit.edu/
    tcp_services = "{ssh, https}"
    udp_services = "{60000:60010}"

    # If you block all ICMP requests you will break things like path MTU
    # discovery. These macros define allowed ICMP types. The additional
    # ICMPv6 types are for neighbor discovery (RFC 4861)
    icmp_types = "{echoreq, unreach}"
    icmp6_types="{echoreq, unreach, 133, 134, 135, 136, 137}"

    # Modulate the initial sequence number of TCP packets.
    # Broken operating systems sometimes don't randomize this number,
    # making it guessable.
    tcp_state="flags S/SA keep state"
    udp_state="keep state"

    # Don't send rejections. Just drop.
    set block-policy drop

    # Exempt the loopback interface to prevent services utilizing the
    # local loop from being blocked accidentally.
    set skip on lo0

    # all incoming traffic on external interface is normalized and fragmented
    # packets are reassembled.
    scrub in on $ext_if all fragment reassemble

    # set a default deny policy.
    block in log all

    # This is a desktop so be permissive in allowing outgoing connections.
    pass out quick modulate state

    # Enable antispoofing on the external interface
    antispoof for $ext_if inet
    antispoof for $ext_if inet6

    # block packets that fail a reverse path check. we look up the routing
    # table, check to make sure that the outbound is the same as the source
    # it came in on. if not, it is probably source address spoofed.
    block in from urpf-failed to any

    # drop broadcast requests quietly.
    block in quick on $ext_if from any to 255.255.255.255

    # Allow the services defined in the macros at the top of the file
    pass in on $ext_if inet proto tcp from any to any port $tcp_services $tcp_state
    pass in on $ext_if inet6 proto tcp from any to any port $tcp_services $tcp_state

    pass in on $ext_if inet proto udp from any to any port $udp_services $udp_state
    pass in on $ext_if inet6 proto udp from any to any port $udp_services $udp_state

    # Allow ICMP
    pass inet proto icmp all icmp-type $icmp_types keep state
    pass inet6 proto icmp6 all icmp6-type $icmp6_types keep state