# Default deny.
block all

# Don't block loopback.
pass on lo0

# Allow outgoing dns, needed by pfctl to resolve names.
pass out proto { tcp, udp } from any to any port 53 keep state

# Allow outgoing ping request, might be needed by dhclient to validate
# old (but valid) leases in /var/db/dhclient.leases in case it needs to
# fall back to such a lease (the dhcp server can be down or not responding).
pass out inet proto icmp all icmp-type echoreq keep state

# Allow IPv6 router/neighbor sollicitation and advertisement.
pass out inet6 proto icmp6 all icmp6-type neighbrsol
pass in inet6 proto icmp6 all icmp6-type neighbradv
pass out inet6 proto icmp6 all icmp6-type routersol
pass in inet6 proto icmp6 all icmp6-type routeradv