[FreeBSD] ipfilter & ssh

block in log all
pass out all

pass in on lo0 all

block in log quick on sis0 from 0.0.0.0/32 to any
block in log quick on sis0 from 255.255.255.255/32 to any
block in log quick on sis0 from 127.0.0.0/8 to any
block in log quick on sis0 from any to 0.0.0.0/32
block in log quick on sis0 from any to 255.255.255.255/32
block in log quick on sis0 from any to 127.0.0.0/8

block in log quick on sis0 from 192.168.0.0/16 to any
block in log quick on sis0 from 172.16.0.0/12 to any
block in log quick on sis0 from 10.0.0.0/8 to any

block in quick on sis0 from 0.0.0.0/8 to any
block in quick on sis0 from 169.254.0.0/16 to any
block in quick on sis0 from 192.0.2.0/24 to any
block in quick on sis0 from 224.0.0.0/4 to any
block in quick on sis0 from 240.0.0.0/4 to any
block in quick on sis0 from any to 0.0.0.0/8
block in quick on sis0 from any to 169.254.0.0/16
block in quick on sis0 from any to 224.0.0.0/4
block in quick on sis0 from any to 240.0.0.0/4
block out log quick on sis0 from any to 0.0.0.0/8
block out log quick on sis0 from any to 169.254.0.0/16
block out log quick on sis0 from any to 192.0.2.0/24
block out log quick on sis0 from any to 224.0.0.0/4
block out log quick on sis0 from any to 240.0.0.0/4

block out log quick on sis0 proto tcp from any to any port = 520
block out log quick on sis0 proto udp from any to any port = 520

pass in quick on sis0 proto icmp all icmp-type 0
pass in quick on sis0 proto icmp all icmp-type 3
pass in quick on sis0 proto icmp all icmp-type 8
pass in quick on sis0 proto icmp all icmp-type 11

pass in quick on sis0 proto tcp/udp from any to any port = ssh keep state
pass in quick on sis0 proto tcp/udp from any to any port = ident keep state
pass in quick on sis0 proto tcp from any to any port = 20 flags S/SA keep state
pass in quick on sis0 proto tcp from any to any port = 80 flags S/SA keep state
pass in quick on sis0 proto tcp from any to any port = 25 flags S/SA keep state
pass in quick on sis0 proto tcp from any to any port = 53 flags S/SA keep state
pass in quick on sis0 proto tcp from any to any port = 21 flags S/SA keep state
pass in quick on sis0 proto tcp from any to any port = 23 flags S/SA keep state
pass in quick on sis0 proto tcp from any to any port = 110 flags S/SA keep state

block in on sis0 proto tcp all flags S/SA
block out on sis0 proto tcp all flags SA/SA 

pass out on sis0 proto tcp all keep state

#block return-rst in on sis0 proto tcp from any to any port = 113

debug1: dh_gen_key: priv key bits set: 135/256
debug1: bits set: 1589/3191
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'djuri.djuri.nl' is known and matches the DSA host key.
debug1: Found key in /home/djuri/.ssh/known_hosts:2
debug1: bits set: 1601/3191
debug1: ssh_dss_verify: signature correct
debug1: kex_derive_keys
debug1: newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: waiting for SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: done: ssh_kex2.
debug1: send SSH2_MSG_SERVICE_REQUEST
debug1: service_accept: ssh-userauth
debug1: got SSH2_MSG_SERVICE_ACCEPT

pass in quick on sis0 proto udp from any to any port = 53 keep state
pass out quick on sis0 proto udp from any to any port = 53 keep state