# firewall shouldn't run on loopback and the LAN
set skip on { lo, internal }

# normalize packets (assemble fragments, remove overlaps, etc)
scrub on external

# perform NATing between the LAN and the outside 
nat on external from internal:network -> (external:0)

# "pass all" is the implicit first rule, replace it
block all

# statefully allow outbound connections
pass out quick on external

# prevent address spoofing attacks
antispoof for { lo, internal }