1 pass in from localhost to localhost with short,frags
2 block in from any to any with ipopts
3 pass in from any to any with opt nop,rr,zsu
4 pass in from any to any with opt nop,rr,zsu not opt ssrr,lsrr
5 pass in from localhost to localhost with not frag
6 pass in proto tcp all flags S with not oow keep state
7 pass in proto tcp all flags S with not bad,bad-src,bad-nat