spamd_sources="198.51.100.198 198.18.0.191"

set skip on lo
set skip on enc0

set block-policy return

block           # block stateless traffic

pass out proto { udp tcp } to port 53
pass out proto udp to port ntp

pass proto icmp
pass proto udp to port 33434:33534      # traceroute
pass proto tcp to port { smtp, ssh, http }


# Always allow connections to our peers
pass quick proto tcp from { $spamd_sources } to any port bgp
pass quick proto tcp from any to { $spamd_sources} port bgp

# Limit connections to one connection per client
pass in proto tcp to any port bgp \
        keep state (source-track rule, max-src-states 1, tcp.finwait 5)