pass in from localhost to localhost with short,frags
block in from any to any with ipopts
pass in from any to any with opt nop,rr,zsu
pass in from any to any with opt nop,rr,zsu not opt ssrr,lsrr
pass in from localhost to localhost with not frag
pass in proto tcp all flags S with not oow keep state
pass in proto tcp all flags S with not bad,bad-src,bad-nat