# pf6.conf syntax:
# - empty lines allowed; only full line comments beginning with '#'
# - lines beginning with whitespace continue last line
# - ruleset begin: 'R>ruleset'
# - rules only for IPv4 begin with '4>', IPv6 with '6>'
# - if no 4/6 given, rule is executed for both
# - lines beginning with 'PRINT>' are only printed

# ---%<--- delete this block
R> start
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P FORWARD ACCEPT
# --->%--- until here and change the ruleset name 'start2' -> 'start', and
#          customize the rules for your needs...
R> start2

#-----------------------------------------------------------------------------
-N established
-A established -m state --state ESTABLISHED -j ACCEPT
-A established -m state --state RELATED -j ACCEPT

#-----------------------------------------------------------------------------
-N inbase
4> -A inbase -p icmp -j ACCEPT
6> -A inbase -p icmpv6 -j ACCEPT
-A inbase -p tcp --dport ssh -j ACCEPT
-A inbase -p tcp --dport domain -j ACCEPT
-A inbase -p udp --dport domain -j ACCEPT
-A inbase -p udp --sport ntp -j ACCEPT
-A inbase -p udp --dport ntp -j ACCEPT
-A inbase -p tcp --dport auth -j REJECT

#-----------------------------------------------------------------------------
-N input
#-A input -p tcp --dport http -j ACCEPT

#-----------------------------------------------------------------------------
-A INPUT -i lo -j ACCEPT
-A INPUT -j established
-A INPUT -j inbase
-A INPUT -j input

-P INPUT DROP
-P OUTPUT ACCEPT
-P FORWARD DROP

##############################################################################
##############################################################################
R> ssh
-P INPUT DROP
-P OUTPUT DROP
-P FORWARD DROP
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A INPUT -p tcp --dport 22 -j ACCEPT
-A OUTPUT -p tcp --sport 22 -j ACCEPT
PRINT>
PRINT>    SSH only ruleset (stateless) loaded
PRINT>
# end.