The first rule set was an extremely simple example, and even though we could use it to demonstrate some basics about how networks and packet filtering work, it is probably too simplistic for practical use. For a slightly more structured and complete setup, we can construct a slightly more realistic example. However, this rule set is still based on the single, stand-alone system that connects to one network.

In this configuration, we'll start by denying everything and then allowing only those things we know that we need.^[11] This gives us the opportunity to introduce two of the features that make PF such a wonderful tool: lists and macros.

We'll make some changes to /etc/pf.conf, starting with

block all