# drop packets composed of small fragments
option small_frags on eth0
                                                                                         
# default behavior = deny everything
block in on eth0 all
block out on eth0 all

# allow DNS resolution to our nameserver
# pass out on eth0 proto udp from 192.168.1.1 port > 1023 to 192.168.1.254 port = 53
# pass in on eth0 proto udp from 192.168.1.254 port = 53 to 192.168.1.1 port > 1023

# allow inbound ICMP traffic (ping)
# pass in on eth0 proto icmp from any to 192.168.1.1 icmp-type echo
# pass out on eth0 proto icmp from 192.168.1.1 to any icmp-type echorep

# allow RDP (Terminal Services) administration from our administration subnet 
# pass in on eth0 proto tcp from 10.42.42.0/24 port > 1024 to 192.168.1.1 port = 3389
# pass out on eth0 proto tcp from 192.168.1.1 port = 3389 to 10.42.42.0/24 port > 1024 established