# le1 is connected to CCS ($IP_OF_WIRELESS_GATEWAY)
# de0 is connected to the wireless, private LAN (10.0.0.1)
# drop any packets with funky options
block in log quick all with short
block in log quick all with opt lsrr
block in log quick all with opt ssrr
block in log quick all with ipopts
block in log quick all with frags
# lo is cool.
pass in quick on lo0 all
pass out quick on lo0 all
# AppleTalk
pass in log quick proto ddp all
pass out log quick proto ddp all
# non-routable sucks
# if we ever see it coming in from CCS, drop it.
block in quick on le1 from 255.255.255.255/32 to any
block in quick on le1 from 192.168.0.0/16 to any
block in quick on le1 from 172.16.0.0/12 to any
block in quick on le1 from 127.0.0.0/8 to any
block in quick on le1 from 10.0.0.0/8 to any
block in quick on le1 from 0.0.0.0/32 to any
# if we ever try to send non-routable out to CCS, also drop it.
block out quick on le1 from any to 255.255.255.255/32 
block out quick on le1 from any to 192.168.0.0/16
block out quick on le1 from any to 172.16.0.0/12
block out quick on le1 from any to 127.0.0.0/8
block out quick on le1