[22.05-RELEASE][admin@6100-2.stevew.lan]/root: pfctl -sr scrub on ix3 inet all fragment reassemble scrub on ix3 inet6 all fragment reassemble scrub on igc0 inet all fragment reassemble scrub on igc0 inet6 all fragment reassemble scrub on ix2 inet all fragment reassemble scrub on ix2 inet6 all fragment reassemble scrub on ix0 inet all fragment reassemble scrub on ix0 inet6 all fragment reassemble scrub on ix1 inet all fragment reassemble scrub on ix1 inet6 all fragment reassemble scrub on igc1 inet all fragment reassemble scrub on igc1 inet6 all fragment reassemble scrub on igc2 inet all fragment reassemble scrub on igc2 inet6 all fragment reassemble scrub on igc3 inet all fragment reassemble scrub on igc3 inet6 all fragment reassemble scrub on ath0_wlan0 inet all fragment reassemble scrub on ath0_wlan0 inet6 all fragment reassemble anchor "openvpn/*" all anchor "ipsec/*" all block drop in log quick inet from 169.254.0.0/16 to any label "Block IPv4 link-local" ridentifier 1000000101 block drop in log quick inet from any to 169.254.0.0/16 label "Block IPv4 link-local" ridentifier 1000000102 block drop in log inet all label "Default deny rule IPv4" ridentifier 1000000103 block drop out log inet all label "Default deny rule IPv4" ridentifier 1000000104 block drop in log inet6 all label "Default deny rule IPv6" ridentifier 1000000105 block drop out log inet6 all label "Default deny rule IPv6" ridentifier 1000000106 pass quick inet6 proto ipv6-icmp all icmp6-type unreach keep state ridentifier 1000000107 pass quick inet6 proto ipv6-icmp all icmp6-type toobig keep state ridentifier 1000000107 pass quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state ridentifier 1000000107 pass quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep state ridentifier 1000000107 pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echorep keep state ridentifier 1000000108 pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state ridentifier 1000000108 pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state ridentifier 1000000108 pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state ridentifier 1000000108 pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state ridentifier 1000000108 pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echorep keep state ridentifier 1000000109 pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state ridentifier 1000000109 pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state ridentifier 1000000109 pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state ridentifier 1000000109 pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state ridentifier 1000000109 pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state ridentifier 1000000110 pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state ridentifier 1000000110 pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state ridentifier 1000000110 pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state ridentifier 1000000110 pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state ridentifier 1000000110 pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type echoreq keep state ridentifier 1000000111 pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routersol keep state ridentifier 1000000111 pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routeradv keep state ridentifier 1000000111 pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbrsol keep state ridentifier 1000000111 pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbradv keep state ridentifier 1000000111 pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echoreq keep state ridentifier 1000000112 pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state ridentifier 1000000112 pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state ridentifier 1000000112 pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state ridentifier 1000000112 pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state ridentifier 1000000112 pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type echoreq keep state ridentifier 1000000113 pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type routersol keep state ridentifier 1000000113 pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type routeradv keep state ridentifier 1000000113 pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type neighbrsol keep state ridentifier 1000000113 pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type neighbradv keep state ridentifier 1000000113 block drop log quick inet proto tcp from any port = 0 to any label "Block traffic from port 0" ridentifier 1000000114 block drop log quick inet proto udp from any port = 0 to any label "Block traffic from port 0" ridentifier 1000000114 block drop log quick inet proto tcp from any to any port = 0 label "Block traffic to port 0" ridentifier 1000000115 block drop log quick inet proto udp from any to any port = 0 label "Block traffic to port 0" ridentifier 1000000115 block drop log quick inet6 proto tcp from any port = 0 to any label "Block traffic from port 0" ridentifier 1000000116 block drop log quick inet6 proto udp from any port = 0 to any label "Block traffic from port 0" ridentifier 1000000116 block drop log quick inet6 proto tcp from any to any port = 0 label "Block traffic to port 0" ridentifier 1000000117 block drop log quick inet6 proto udp from any to any port = 0 label "Block traffic to port 0" ridentifier 1000000117 block drop log quick from to any label "Block snort2c hosts" ridentifier 1000000118 block drop log quick from any to label "Block snort2c hosts" ridentifier 1000000119 block drop in log quick proto tcp from to (self) port = ssh label "sshguard" ridentifier 1000000301 block drop in log quick proto tcp from to (self) port = https label "GUI Lockout" ridentifier 1000000351 block drop in log quick from to any label "virusprot overload table" ridentifier 1000000400 pass in quick on ix3 proto udp from any port = bootps to any port = bootpc keep state label "allow dhcp client out WAN" ridentifier 1000000461 pass out quick on ix3 proto udp from any port = bootpc to any port = bootps keep state label "allow dhcp client out WAN" ridentifier 1000000462 pass in quick on ix3 inet6 proto udp from fe80::/10 port = dhcpv6-client to fe80::/10 port = dhcpv6-client keep state label "allow dhcpv6 client in WAN" ridentifier 1000000463 pass in quick on ix3 proto udp from any port = dhcpv6-server to any port = dhcpv6-client keep state label "allow dhcpv6 client in WAN" ridentifier 1000000464 pass out quick on ix3 proto udp from any port = dhcpv6-client to any port = dhcpv6-server keep state label "allow dhcpv6 client out WAN" ridentifier 1000000465 block drop in log on ! ix3 inet from 172.21.16.0/24 to any ridentifier 1000001470 block drop in log inet from 172.21.16.170 to any ridentifier 1000001470 block drop in log on ix3 inet6 from fe80::92ec:77ff:fe0f:7443 to any ridentifier 1000001470 block drop in log on igc0 inet6 from fe80::92ec:77ff:fe0f:7447 to any ridentifier 1000002520 block drop in log on igc0 inet6 from fe80::1:1 to any ridentifier 1000002520 pass in quick on igc0 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server" ridentifier 1000002541 pass in quick on igc0 inet proto udp from any port = bootpc to 192.168.170.1 port = bootps keep state label "allow access to DHCP server" ridentifier 1000002542 pass out quick on igc0 inet proto udp from 192.168.170.1 port = bootps to any port = bootpc keep state label "allow access to DHCP server" ridentifier 1000002543 pass quick on igc0 inet6 proto udp from fe80::/10 to fe80::/10 port = dhcpv6-client keep state label "allow access to DHCPv6 server" ridentifier 1000002551 pass quick on igc0 inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-client keep state label "allow access to DHCPv6 server" ridentifier 1000002552 pass quick on igc0 inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-server keep state label "allow access to DHCPv6 server" ridentifier 1000002553 pass quick on igc0 inet6 proto udp from ff02::/16 to fe80::/10 port = dhcpv6-server keep state label "allow access to DHCPv6 server" ridentifier 1000002554 pass in quick on ix2 proto udp from any port = bootps to any port = bootpc keep state label "allow dhcp client out WAN2" ridentifier 1000002561 pass out quick on ix2 proto udp from any port = bootpc to any port = bootps keep state label "allow dhcp client out WAN2" ridentifier 1000002562 block drop in log on ! ix2 inet from 192.168.241.0/24 to any ridentifier 1000003570 block drop in log inet from 192.168.241.10 to any ridentifier 1000003570 block drop in log on ix2 inet6 from fe80::92ec:77ff:fe0f:7444 to any ridentifier 1000003570 pass in on lo0 inet all flags S/SA keep state label "pass IPv4 loopback" ridentifier 1000009911 pass out on lo0 inet all flags S/SA keep state label "pass IPv4 loopback" ridentifier 1000009912 pass in on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback" ridentifier 1000009913 pass out on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback" ridentifier 1000009914 pass out inet all flags S/SA keep state allow-opts label "let out anything IPv4 from firewall host itself" ridentifier 1000009915 pass out inet6 all flags S/SA keep state allow-opts label "let out anything IPv6 from firewall host itself" ridentifier 1000009916 pass out route-to (ix3 172.21.16.1) inet from 172.21.16.170 to ! 172.21.16.0/24 flags S/SA keep state allow-opts label "let out anything from firewall host itself" ridentifier 1000010011 pass out route-to (ix2 192.168.241.1) inet from 192.168.241.10 to ! 192.168.241.0/24 flags S/SA keep state allow-opts label "let out anything from firewall host itself" ridentifier 1000010012 pass in quick on igc0 proto tcp from any to (igc0) port = https flags S/SA keep state label "anti-lockout rule" ridentifier 10001 pass in quick on igc0 proto tcp from any to (igc0) port = http flags S/SA keep state label "anti-lockout rule" ridentifier 10001 pass in quick on igc0 proto tcp from any to (igc0) port = ssh flags S/SA keep state label "anti-lockout rule" ridentifier 10001 anchor "userrules/*" all pass in quick on ix3 reply-to (ix3 172.21.16.1) inet all flags S/SA keep state label "USER_RULE: Allow all ipv4+ipv6 via pfSsh.php" label "id:1644416432" ridentifier 1644416432 pass in quick on ix3 inet6 all flags S/SA keep state label "USER_RULE: Allow all ipv4+ipv6 via pfSsh.php" label "id:1644416432" ridentifier 1644416432 pass in quick on igc0 route-to (ix2 192.168.241.1) inet from 192.168.170.0/24 to any flags S/SA keep state label "USER_RULE: Default allow LAN to any via WAN2" label "id:1660690673" label "gw:WAN2_DHCP" ridentifier 1660690673 pass in quick on igc0 inet from 192.168.170.0/24 to any flags S/SA keep state label "USER_RULE: Default allow LAN to any rule" label "id:0100000101" ridentifier 100000101 anchor "tftp-proxy/*" all