pass in all pass in from any to any no state pass in proto tcp from any port <= 1024 to any label foo_bar pass in proto tcp from any to any port = 25 pass in proto tcp from 10.0.0.0/8 port > 1024 to ! 10.1.2.3 port != 22 pass in proto igmp from 10.0.0.0/8 to 10.1.1.1 allow-opts pass in proto tcp from { 1.2.3.4, 1.2.3.5 } to any label \ "$nr:$proto:$srcaddr:$srcport:$dstaddr:$dstport"