pass in proto tcp from any to any port = www keep state (tcp.established 60) pass in proto tcp from any to any port = www keep state (max 10, no-sync, tcp.first 2)