# Define interfaces
ext_if="sis0"
int_if="sis1"

# Define wl ip range
wlnet="{172.16.0.0/12}"

# Maximum number of stateful entries per source ip address
max_states="10"

# Enable nat for Wireless Leiden ip range
nat on $ext_if from $wlnet to any -> ($ext_if)

# Enable stateful firewalling 
pass out on $ext_if all keep state (source-track rule, max-src-states $max_states)

# Allow everything on lo0
pass on lo0 all

# Block everything which isn't allowed further on
block in all

# Allow ports
pass in \
        on $ext_if \
        inet proto { tcp } from any to $ext_if \
        port { 22 } keep state

pass in \
        on $int_if \
        inet proto { tcp } from $wlnet to $int_if \
        port { 22, 53 } keep state   

pass in \
        on $int_if \
        inet proto { udp } from $wlnet to $int_if \
        port { 53 } keep state   

pass in \
        on $int_if \
        inet proto { tcp } to any \
        port { 80, 443 } keep state

pass in \
        on $int_if \
        inet proto { icmp } from $wlnet to $int_if