TRANSLATION RULES:
no nat proto carp all
nat-anchor "natearly/*" all
nat-anchor "natrules/*" all
nat on em0 inet from 127.0.0.0/8 to any port = isakmp -> 192.168.254.25 static-port
nat on em0 inet from 127.0.0.0/8 to any -> 192.168.254.25 port 1024:65535
nat on em0 inet6 from ::1 to any port = isakmp -> (em0) round-robin static-port
nat on em0 inet6 from ::1 to any -> (em0) port 1024:65535 round-robin
nat on em0 inet from 192.168.33.0/24 to any port = isakmp -> 192.168.254.25 static-port
nat on em0 inet from 192.168.33.0/24 to any -> 192.168.254.25 port 1024:65535
nat on em0 inet from 192.168.253.0/24 to any port = isakmp -> 192.168.254.25 static-port
nat on em0 inet from 192.168.253.0/24 to any -> 192.168.254.25 port 1024:65535
nat on em0 inet from 10.15.0.1 to any port = isakmp -> 192.168.254.25 static-port
nat on em0 inet from 10.15.0.1 to any -> 192.168.254.25 port 1024:65535
no rdr proto carp all
rdr-anchor "tftp-proxy/*" all

FILTER RULES:
scrub from any to <vpn_networks> fragment no reassemble
scrub from <vpn_networks> to any fragment no reassemble
scrub on em0 inet all fragment reassemble
scrub on em0 inet6 all fragment reassemble
scrub on ipsec1 inet all fragment reassemble
scrub on ipsec1 inet6 all fragment reassemble
anchor "openvpn/*" all
anchor "ipsec/*" all
pass in quick on lo0 inet6 all flags S/SA keep state (if-bound) label "descr=pass IPv6 loopback" ridentifier 1000000001
pass out quick on lo0 inet6 all flags S/SA keep state (if-bound) label "descr=pass IPv6 loopback" ridentifier 1000000002
block drop in log quick inet6 all label "descr=Block all IPv6" ridentifier 1000000003
block drop out log quick inet6 all label "descr=Block all IPv6" ridentifier 1000000004
block drop in log quick inet6 from any to <_nat64reserved_> label "descr=Block NAT64 for non-global IPv4" ridentifier 1000000005
block drop out log quick inet6 from any to <_nat64reserved_> label "descr=Block NAT64 for non-global IPv4" ridentifier 1000000006
block drop in log quick inet from 169.254.0.0/16 to any label "descr=Block IPv4 link-local" ridentifier 1000000101
block drop in log quick inet from any to 169.254.0.0/16 label "descr=Block IPv4 link-local" ridentifier 1000000102
block drop in log inet all label "descr=Default deny rule IPv4" label "tags=ruleset:e85581c4c9f01147" ridentifier 1000000103
block drop out log inet all label "descr=Default deny rule IPv4" label "tags=ruleset:e85581c4c9f01147" ridentifier 1000000104
block drop in log inet6 all label "descr=Default deny rule IPv6" label "tags=ruleset:e85581c4c9f01147" ridentifier 1000000105
block drop out log inet6 all label "descr=Default deny rule IPv6" label "tags=ruleset:e85581c4c9f01147" ridentifier 1000000106
block drop log quick inet proto tcp from any port = 0 to any label "descr=Block traffic from port 0" ridentifier 1000000107
block drop log quick inet proto udp from any port = 0 to any label "descr=Block traffic from port 0" ridentifier 1000000107
block drop log quick inet proto tcp from any to any port = 0 label "descr=Block traffic to port 0" ridentifier 1000000108
block drop log quick inet proto udp from any to any port = 0 label "descr=Block traffic to port 0" ridentifier 1000000108
block drop log quick from <snort2c> to any label "descr=Block snort2c hosts" ridentifier 1000000109
block drop log quick from any to <snort2c> label "descr=Block snort2c hosts" ridentifier 1000000110
block drop in log quick proto carp from (self) to any label "descr=CARP operation" ridentifier 1000000201
pass quick proto carp all no state label "descr=CARP operation" ridentifier 1000000202
block drop in log quick proto tcp from <sshguard> to (self) port = ssh label "descr=sshguard" ridentifier 1000000301
block drop in log quick proto tcp from <sshguard> to (self) port = https label "descr=GUI Lockout" ridentifier 1000000351
block drop in log quick from <virusprot> to any label "descr=virusprot overload table" ridentifier 1000000400
block drop out quick proto udp from any port = bootps to any port = bootpc label "descr=Prevent routing dhcp responses" ridentifier 1000000451 tagged dhcpin
pass in quick on em0 proto udp from any port = bootps to any port = bootpc no state label "descr=allow dhcp replies in WAN" ridentifier 1000000461 tag dhcpin
pass out quick on em0 proto udp from any port = bootpc to any port = bootps no state label "descr=allow dhcp client out WAN" ridentifier 1000000462
block drop in log on ! em0 inet from 192.168.254.0/24 to any label "descr=antispoof protection" ridentifier 1000001471
block drop in log on ! em0 inet from 192.168.254.34 to any label "descr=antispoof protection" ridentifier 1000001471
block drop in log on ! em0 inet from 192.168.254.33 to any label "descr=antispoof protection" ridentifier 1000001471
block drop in log on em0 inet6 from fe80::a00:27ff:fed4:3e55 to any label "descr=antispoof protection" ridentifier 1000001471
block drop in log inet from 192.168.254.25 to any label "descr=antispoof protection" ridentifier 1000001471
block drop in log inet from 192.168.254.34 to any label "descr=antispoof protection" ridentifier 1000001471
block drop in log inet from 192.168.254.33 to any label "descr=antispoof protection" ridentifier 1000001471
block drop in log on ! ipsec1 inet from 10.15.0.0/30 to any label "descr=antispoof protection" ridentifier 1000002521
block drop in log on ipsec1 inet6 from fe80::a00:27ff:fed4:3e55 to any label "descr=antispoof protection" ridentifier 1000002521
block drop in log inet from 10.15.0.2 to any label "descr=antispoof protection" ridentifier 1000002521
pass in on lo0 inet all flags S/SA keep state (if-bound) label "descr=pass IPv4 loopback" ridentifier 1000004661
pass out on lo0 inet all flags S/SA keep state (if-bound) label "descr=pass IPv4 loopback" ridentifier 1000004662
pass out inet all flags S/SA keep state (if-bound) allow-opts label "descr=let out anything IPv4 from firewall host itself" ridentifier 1000004663
pass out route-to (em0 192.168.254.10) inet from 192.168.254.25 to ! 192.168.254.0/24 flags S/SA keep state (if-bound) allow-opts label "descr=let out anything from firewall host itself" ridentifier 1000004761
pass out route-to (em0 192.168.254.10) inet from 192.168.254.33 to ! 192.168.254.0/24 flags S/SA keep state (if-bound) allow-opts label "descr=let out anything from firewall host itself" ridentifier 1000004762
pass out route-to (em0 192.168.254.10) inet from 192.168.254.34 to ! 192.168.254.0/24 flags S/SA keep state (if-bound) allow-opts label "descr=let out anything from firewall host itself" ridentifier 1000004763
pass out inet from 10.15.0.2 to ! 10.15.0.0/30 flags S/SA keep state (if-bound) allow-opts label "descr=let out anything from firewall host itself" ridentifier 1000004764
pass out on enc0 all flags S/SA keep state label "descr=IPsec internal host to host" ridentifier 1000005062
pass out on ipsec1 all flags S/SA keep state label "descr=IPsec VTI floating states" ridentifier 1000005063
pass in quick on ipsec1 proto tcp from any to (ipsec1) port = https flags S/SA keep state (if-bound) label "descr=anti-lockout rule" ridentifier 10001
pass in quick on ipsec1 proto tcp from any to (ipsec1) port = http flags S/SA keep state (if-bound) label "descr=anti-lockout rule" ridentifier 10001
anchor "userrules/*" all
pass in quick on em0 reply-to (em0 192.168.254.10) inet all flags S/SA keep state (if-bound) label "id=1778676401" label "tags=user_rule" ridentifier 1778676401
pass in quick on ipsec1 reply-to (ipsec1 10.15.0.1) inet from <LAN__NETWORK> to any flags S/SA keep state (if-bound) label "id=0100000101" label "tags=user_rule" label "descr=Default allow LAN to any rule" ridentifier 100000101
pass in quick on ipsec1 inet6 from <LAN__NETWORK> to any flags S/SA keep state (if-bound) label "id=0100000102" label "tags=user_rule" label "descr=Default allow LAN IPv6 to any rule" ridentifier 100000102
pass out inet proto udp from (self) to 192.168.254.21 port = isakmp keep state (if-bound) label "descr=IPsec: 192.168.254.21 - outbound isakmp" ridentifier 1000105201
pass in on em0 inet proto udp from 192.168.254.21 to (self) port = isakmp keep state (if-bound) label "descr=IPsec: 192.168.254.21 - inbound isakmp" ridentifier 1000105202
pass out inet proto udp from (self) to 192.168.254.21 port = ipsec-nat-t keep state (if-bound) label "descr=IPsec: 192.168.254.21 - outbound nat-t" ridentifier 1000105203
pass in on em0 inet proto udp from 192.168.254.21 to (self) port = ipsec-nat-t keep state (if-bound) label "descr=IPsec: 192.168.254.21 - inbound nat-t" ridentifier 1000105204
pass out inet proto esp from (self) to 192.168.254.21 keep state (if-bound) label "descr=IPsec: 192.168.254.21 - outbound esp proto" ridentifier 1000105205
pass in on em0 inet proto esp from 192.168.254.21 to (self) keep state (if-bound) label "descr=IPsec: 192.168.254.21 - inbound esp proto" ridentifier 1000105206
anchor "tftp-proxy/*" all
No queue in use

STATES:
em0 pfsync 192.168.254.25 -> 192.168.254.26       SINGLE:NO_TRAFFIC
em0 udp 192.168.254.34:500 -> 192.168.254.21:500       MULTIPLE:MULTIPLE
all tcp 192.168.254.25:443 <- 192.168.254.20:36037       ESTABLISHED:ESTABLISHED
em0 icmp 192.168.254.25:54731 -> 192.168.254.10:8       0:0
all tcp 192.168.254.25:443 <- 192.168.254.20:36288       FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.254.25:443 <- 192.168.254.20:36289       ESTABLISHED:ESTABLISHED
em0 udp 192.168.254.25:123 -> 80.233.131.171:123       MULTIPLE:SINGLE
lo0 udp ff02::1:2[547] <- fe80::a00:27ff:fed4:3e55[546]       NO_TRAFFIC:SINGLE
em0 udp 192.168.254.25:123 -> 162.159.200.1:123       MULTIPLE:SINGLE

INFO:
Status: Enabled for 0 days 00:34:09           Debug: Urgent

Interface Stats for ipsec1            IPv4             IPv6
  Bytes In                               0                0
  Bytes Out                              0                0
  Packets In
    Passed                               0                0
    Blocked                              0                0
  Packets Out
    Passed                              24                0
    Blocked                              1              123

State Table                          Total             Rate
  current entries                        9               
  searches                           27942           13.6/s
  inserts                              411            0.2/s
  removals                             402            0.2/s
Counters
  match                               5068            2.5/s
  bad-offset                             0            0.0/s
  fragment                               0            0.0/s
  short                                  0            0.0/s
  normalize                              0            0.0/s
  memory                                 0            0.0/s
  bad-timestamp                          0            0.0/s
  congestion                             0            0.0/s
  ip-option                             74            0.0/s
  proto-cksum                            0            0.0/s
  state-mismatch                         0            0.0/s
  state-insert                           0            0.0/s
  state-limit                            0            0.0/s
  src-limit                              0            0.0/s
  synproxy                               0            0.0/s
  map-failed                             0            0.0/s
  translate                              0            0.0/s

LABEL COUNTERS:
descr=pass IPv6 loopback 5068 23 2488 23 2488 0 0 6
descr=pass IPv6 loopback 40 0 0 0 0 0 0 0
descr=Block all IPv6 4966 46 4748 46 4748 0 0 0
descr=Block all IPv6 3263 95 8676 0 0 95 8676 0
descr=Block NAT64 for non-global IPv4 0 0 0 0 0 0 0 0
descr=Block NAT64 for non-global IPv4 0 0 0 0 0 0 0 0
descr=Block IPv4 link-local 4905 0 0 0 0 0 0 0
descr=Block IPv4 link-local 1697 0 0 0 0 0 0 0
descr=Default deny rule IPv4 tags=ruleset:e85581c4c9f01147 309 0 0 0 0 0 0 0
descr=Default deny rule IPv4 tags=ruleset:e85581c4c9f01147 923 0 0 0 0 0 0 0
descr=Default deny rule IPv6 tags=ruleset:e85581c4c9f01147 923 0 0 0 0 0 0 0
descr=Default deny rule IPv6 tags=ruleset:e85581c4c9f01147 614 0 0 0 0 0 0 0
descr=Block traffic from port 0 4905 0 0 0 0 0 0 0
descr=Block traffic from port 0 4810 0 0 0 0 0 0 0
descr=Block traffic to port 0 4905 0 0 0 0 0 0 0
descr=Block traffic to port 0 4810 0 0 0 0 0 0 0
descr=Block snort2c hosts 4905 0 0 0 0 0 0 0
descr=Block snort2c hosts 4905 0 0 0 0 0 0 0
descr=CARP operation 4905 0 0 0 0 0 0 0
descr=CARP operation 4809 4509 252504 1601 89656 2908 162848 0
descr=sshguard 396 0 0 0 0 0 0 0
descr=GUI Lockout 0 0 0 0 0 0 0 0
descr=virusprot overload table 96 0 0 0 0 0 0 0
descr=Prevent routing dhcp responses 396 1 322 0 0 1 322 0
descr=allow dhcp replies in WAN 96 4 1288 4 1288 0 0 0
descr=allow dhcp client out WAN 249 0 0 0 0 0 0 0
descr=antispoof protection 102 0 0 0 0 0 0 0
descr=antispoof protection 3 0 0 0 0 0 0 0
descr=antispoof protection 3 0 0 0 0 0 0 0
descr=antispoof protection 99 0 0 0 0 0 0 0
descr=antispoof protection 21 0 0 0 0 0 0 0
descr=antispoof protection 21 0 0 0 0 0 0 0
descr=antispoof protection 21 0 0 0 0 0 0 0
descr=antispoof protection 2 0 0 0 0 0 0 0
descr=antispoof protection 2 0 0 0 0 0 0 0
descr=antispoof protection 2 0 0 0 0 0 0 0
descr=pass IPv4 loopback 131 206 62632 106 27782 100 34850 0
descr=pass IPv4 loopback 303 0 0 0 0 0 0 0
descr=let out anything IPv4 from firewall host itself 349 1963 371066 967 120470 996 250596 0
descr=let out anything from firewall host itself 81 136 24039 68 19131 68 4908 34
descr=let out anything from firewall host itself 74 0 0 0 0 0 0 0
descr=let out anything from firewall host itself 74 0 0 0 0 0 0 0
descr=let out anything from firewall host itself 34 0 0 0 0 0 0 0
descr=IPsec internal host to host 299 0 0 0 0 0 0 0
descr=IPsec VTI floating states 299 24 7528 0 0 24 7528 0
descr=anti-lockout rule 2 0 0 0 0 0 0 0
descr=anti-lockout rule 0 0 0 0 0 0 0 0
id=1778676401 tags=user_rule 102 1708 1245328 645 65822 1063 1179506 2
id=0100000101 tags=user_rule descr=Default allow LAN to any rule 0 0 0 0 0 0 0 0
id=0100000102 tags=user_rule descr=Default allow LAN IPv6 to any rule 0 0 0 0 0 0 0 0
descr=IPsec: 192.168.254.21 - outbound isakmp 60 0 0 0 0 0 0 0
descr=IPsec: 192.168.254.21 - inbound isakmp 55 0 0 0 0 0 0 0
descr=IPsec: 192.168.254.21 - outbound nat-t 55 0 0 0 0 0 0 0
descr=IPsec: 192.168.254.21 - inbound nat-t 55 0 0 0 0 0 0 0
descr=IPsec: 192.168.254.21 - outbound esp proto 60 0 0 0 0 0 0 0
descr=IPsec: 192.168.254.21 - inbound esp proto 1 0 0 0 0 0 0 0

TIMEOUTS:
tcp.first                   120s
tcp.opening                  30s
tcp.established           86400s
tcp.closing                 900s
tcp.finwait                  45s
tcp.closed                   90s
tcp.tsdiff                   30s
sctp.first                  120s
sctp.opening                 30s
sctp.established          86400s
sctp.closing                900s
sctp.closed                  90s
udp.first                    60s
udp.single                   30s
udp.multiple                 60s
icmp.first                   20s
icmp.error                   10s
other.first                  60s
other.single                 30s
other.multiple               60s
frag                         60s
interval                     10s
adaptive.start           240600 states
adaptive.end             481200 states
src.track                     0s

LIMITS:
states        hard limit   401000
src-nodes     hard limit   401000
frags         hard limit     5000
table-entries hard limit   400000
anchors       hard limit      512
eth-anchors   hard limit        0

STATE LIMITERS:
 ID      USE/LIMIT     RATE/SECS     ADMIT  HARDLIM  RATELIM

SOURCE LIMITERS:
 ID      USE/ADDRS    LIMIT  RATE/SECS     ADMIT  ADDRLIM  HARDLIM  RATELIM

TABLES:
ENC0__NETWORK
LAN__NETWORK
WAN__NETWORK
WIREGUARD__NETWORK
_nat64reserved_
bogons
snort2c
sshguard
virusprot
vpn_networks

OS FINGERPRINTS:
762 fingerprints loaded
