#Allow outbound FTP traffic
pass out break end proto ftp from any to any port=ftpcnt flags S!A inspect-state 
#Allow any other outbound traffic and the replies back in
pass out break end inspect-state 
#Allow incoming IPSEC
pass break end proto 50 
pass in break end proto udp from any to any port=ike 
pass in break end proto udp from any to any port=4500 
#Allow any traffic within an IPSEC tunnel in both directions
pass break end oneroute any 
#Allow incoming SSH and SFTP
pass in break end proto tcp from any to any port=22 flags S!A inspect-state 
#Allow incoming HTTPS
pass in break end proto tcp from any to any port=443 flags S!A inspect-state 
#Block and log everything else including incoming telnet, http and FTP
block log break end