list interfaces eth0 eth1 eth2
list internal eth0
list external eth1
list dmz eth2
list natdevs eth1 eth2
table filter
policy all DENY
build from list interfaces chain {interfaces}-in
build from list interfaces chain {interfaces}-fwd
build from list interfaces chain {interfaces}-out
chain INPUT
build from list interfaces rule {interfaces}-in device in {interfaces}
chain OUTPUT
build from list interfaces rule {interfaces}-out device out {interfaces}
chain FORWARD
build from list interfaces rule {interfaces}-fwd device in {interfaces}
chain accepts
	rule ACCEPT prot ipv6
	rule ACCEPT prot ipv6-route
	rule ACCEPT prot ipv6-frag
	rule ACCEPT proto tcp dest port smtp
	rule ACCEPT proto tcp dest port auth
	rule ACCEPT proto tcp dest port ssh
	rule ACCEPT proto tcp dest port ntp
	rule ACCEPT proto udp dest port ntp
	rule ACCEPT proto tcp dest port domain
	rule ACCEPT proto udp dest port domain
	rule ACCEPT prot udp dest port syslog
	rule ACCEPT prot udp dest port 6060:6070
	rule ACCEPT state RELATED,ESTABLISHED
chain attacks
	rule LOG prot tcp flags ALL ALL \
		limit 5/min burst 5 level debug prefix 'Merry-XMAS:'
	rule LOG prot tcp flags ALL FIN,PSH,URG \
		limit 5/min burst 5 level debug prefix 'NMAP-XMAS:'
	rule LOG prot tcp flags ALL FIN,SYN,RST,ACK,URG \
		limit 5/min burst 5 level debug prefix 'XMAS-PSH:'
	rule LOG prot tcp flags SYN,RST SYN,RST \
		limit 5/min burst 5 level debug prefix 'SYN/RST:'
	rule LOG prot tcp flags FIN,SYN FIN,SYN \
		limit rate 5/min burst 5 level debug prefix 'FIN/SYN:'
	rule LOG prot tcp option 64 \
		limit 5/min burst 5 level debug prefix 'Bogus TCP FLAG 64:'
	rule LOG prot tcp option 128 \
		limit 5/min burst 5 level debug prefix 'Bogus TCP FLAG 64:'
chain infilter
	rule attacks
	rule accepts
	rule LOG limit 10/min burst 5 level debug prefix 'infilter end: '
chain trusted
	rule ACCEPT prot icmp
	rule DROP state INVALID
	rule ACCEPT
chain dmz-fwd
	build from list external rule ACCEPT device out {external}
	rule ACCEPT state ESTABLISHED,RELATED
	rule REJECT
chain inetfwd
	rule attacks
	rule DROP state INVALID
	rule ACCEPT state ESTABLISHED,RELATED
	build from list dmz rule ACCEPT device out {dmz} \
		destination 213.157.15.48/29
	rule REJECT
build from list internal attach trusted to {internal}-in
build from list internal attach trusted to {internal}-fwd
build from list external attach infilter to {external}-in
build from list external attach inetfwd to {external}-fwd
build from list dmz attach dmz-fwd to {dmz}-fwd
build from list interfaces attach trusted to {interfaces}-out
table nat
chain POSTROUTING
build from list	natdevs rule MASQUERADE device out {natdevs} \
	source 192.168.0.0/16
build from list natdevs rule MASQUERADE device out {natdevs} \
	source 10.0.0.0/8 
build from list natdevs rule MASQUERADE device out {natdevs} \
	source 172.16.0.0/12
table mangle
chain OUTPUT
	rule TOS prot tcp dest port telnet tos Minimize-Delay
	rule TOS prot tcp dest port ssh tos Minimize-Delay
	rule TOS prot tcp dest port www tos Minimize-Delay
	rule TOS prot tcp dest port pop-3 tos Maximize-Reliability
	rule TOS prot tcp dest port ircd tos Minimize-Delay
	rule TOS prot tcp dest port smtp tos Maximize-Throughput