| pass in from localhost to localhost with short | |
| block in from any to any with ipopts | |
| pass in from any to any with opt nop,rr,zsu | |
| pass in from any to any with opt nop,rr,zsu not opt ssrr,lsrr | |
| pass in from localhost to localhost with not frag | |
| pass in proto tcp all flags S with not oow keep state | |
| pass in proto tcp all flags S with not bad,bad-src,bad-nat |