@0 scrub from any to <vpn_networks:1> fragment no reassemble
  [ Evaluations: 36847     Packets: 4291      Bytes: 0           States: 0     ]
  [ Source Nodes: 0      Limit: 0      NAT/RDR: 0      Route: 0      ]
  [ Inserted: uid 0 pid 0 State Creations: 0     ]
  [ Last Active Time: N/A ]
@1 scrub from <vpn_networks:1> to any fragment no reassemble
  [ Evaluations: 32556     Packets: 0         Bytes: 0           States: 0     ]
  [ Source Nodes: 0      Limit: 0      NAT/RDR: 0      Route: 0      ]
  [ Inserted: uid 0 pid 0 State Creations: 0     ]
  [ Last Active Time: N/A ]
@2 scrub on em0 inet all fragment reassemble
  [ Evaluations: 32556     Packets: 30819     Bytes: 4770427     States: 0     ]
  [ Source Nodes: 0      Limit: 0      NAT/RDR: 0      Route: 0      ]
  [ Inserted: uid 0 pid 0 State Creations: 0     ]
  [ Last Active Time: N/A ]
@3 scrub on em0 inet6 all fragment reassemble
  [ Evaluations: 45        Packets: 45        Bytes: 4632        States: 0     ]
  [ Source Nodes: 0      Limit: 0      NAT/RDR: 0      Route: 0      ]
  [ Inserted: uid 0 pid 0 State Creations: 0     ]
  [ Last Active Time: N/A ]
@0 anchor "openvpn/*" all
  [ Evaluations: 5124      Packets: 0         Bytes: 0           States: 0     ]
  [ Source Nodes: 0      Limit: 0      NAT/RDR: 0      Route: 0      ]
  [ Inserted: uid 0 pid 0 State Creations: 0     ]
  [ Last Active Time: N/A ]
@1 anchor "ipsec/*" all
  [ Evaluations: 5124      Packets: 0         Bytes: 0           States: 0     ]
  [ Source Nodes: 0      Limit: 0      NAT/RDR: 0      Route: 0      ]
  [ Inserted: uid 0 pid 0 State Creations: 0     ]
  [ Last Active Time: N/A ]
@2 block drop in log quick inet6 from any to <_nat64reserved_:16> label "descr=Block NAT64 for non-global IPv4" ridentifier 1000000001
  [ Evaluations: 5124      Packets: 0         Bytes: 0           States: 0     ]
  [ Source Nodes: 0      Limit: 0      NAT/RDR: 0      Route: 0      ]
  [ Inserted: uid 0 pid 0 State Creations: 0     ]
  [ Last Active Time: N/A ]
@3 block drop out log quick inet6 from any to <_nat64reserved_:16> label "descr=Block NAT64 for non-global IPv4" ridentifier 1000000002
  [ Evaluations: 1025      Packets: 0         Bytes: 0           States: 0     ]
  [ Source Nodes: 0      Limit: 0      NAT/RDR: 0      Route: 0      ]
  [ Inserted: uid 0 pid 0 State Creations: 0     ]
  [ Last Active Time: N/A ]
@4 block drop in log quick inet from 169.254.0.0/16 to any label "descr=Block IPv4 link-local" ridentifier 1000000101
  [ Evaluations: 5124      Packets: 0         Bytes: 0           States: 0     ]
  [ Source Nodes: 0      Limit: 0      NAT/RDR: 0      Route: 0      ]
  [ Inserted: uid 0 pid 0 State Creations: 0     ]
  [ Last Active Time: N/A ]
@5 block drop in log quick inet from any to 169.254.0.0/16 label "descr=Block IPv4 link-local" ridentifier 1000000102
  [ Evaluations: 4073      Packets: 0         Bytes: 0           States: 0     ]
  [ Source Nodes: 0      Limit: 0      NAT/RDR: 0      Route: 0      ]
  [ Inserted: uid 0 pid 0 State Creations: 0     ]
  [ Last Active Time: N/A ]
@6 block drop in log inet all label "descr=Default deny rule IPv4" label "tags=ruleset:ceb692a014de1297" ridentifier 1000000103
  [ Evaluations: 897       Packets: 0         Bytes: 0           States: 0     ]
  [ Source Nodes: 0      Limit: 0      NAT/RDR: 0      Route: 0      ]
  [ Inserted: uid 0 pid 0 State Creations: 0     ]
  [ Last Active Time: N/A ]
@7 block drop out log inet all label "descr=Default deny rule IPv4" label "tags=ruleset:ceb692a014de1297" ridentifier 1000000104
  [ Evaluations: 927       Packets: 0         Bytes: 0           States: 0     ]
  [ Source Nodes: 0      Limit: 0      NAT/RDR: 0      Route: 0      ]
  [ Inserted: uid 0 pid 0 State Creations: 0     ]
  [ Last Active Time: N/A ]
@8 block drop in log inet6 all label "descr=Default deny rule IPv6" label "tags=ruleset:ceb692a014de1297" ridentifier 1000000105
  [ Evaluations: 933       Packets: 0         Bytes: 0           States: 0     ]
  [ Source Nodes: 0      Limit: 0      NAT/RDR: 0      Route: 0      ]
  [ Inserted: uid 0 pid 0 State Creations: 0     ]
  [ Last Active Time: N/A ]
@9 block drop out log inet6 all label "descr=Default deny rule IPv6" label "tags=ruleset:ceb692a014de1297" ridentifier 1000000106
  [ Evaluations: 36        Packets: 0         Bytes: 0           States: 0     ]
  [ Source Nodes: 0      Limit: 0      NAT/RDR: 0      Route: 0      ]
  [ Inserted: uid 0 pid 0 State Creations: 0     ]
  [ Last Active Time: N/A ]
@10 pass quick inet6 proto ipv6-icmp all icmp6-type unreach keep state (if-bound) label "descr=ICMPv6 operation" ridentifier 1000000107
  [ Evaluations: 72        Packets: 0         Bytes: 0           States: 0     ]
  [ Source Nodes: 0      Limit: 0      NAT/RDR: 0      Route: 0      ]
  [ Inserted: uid 0 pid 0 State Creations: 0     ]
  [ Last Active Time: N/A ]
@11 pass quick inet6 proto ipv6-icmp all icmp6-type toobig keep state (if-bound) label "descr=ICMPv6 operation" ridentifier 1000000107
  [ Evaluations: 29        Packets: 0         Bytes: 0           States: 0     ]
  [ Source Nodes: 0      Limit: 0      NAT/RDR: 0      Route: 0      ]
  [ Inserted: uid 0 pid 0 State Creations: 0     ]
  [ Last Active Time: N/A ]
@12 pass quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state (if-bound) label "descr=ICMPv6 operation" ridentifier 1000000107
  [ Evaluations: 29        Packets: 18        Bytes: 1296        States: 0     ]
  [ Source Nodes: 0      Limit: 0      NAT/RDR: 0      Route: 0      ]
  [ Inserted: uid 0 pid 0 State Creations: 0     ]
  [ Last Active Time: N/A ]
@13 pass quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep state (if-bound) label "descr=ICMPv6 operation" ridentifier 1000000107
  [ Evaluations: 16        Packets: 0         Bytes: 0           States: 0     ]
  [ Source Nodes: 0      Limit: 0      NAT/RDR: 0      Route: 0      ]
  [ Inserted: uid 0 pid 0 State Creations: 0     ]
  [ Last Active Time: N/A ]
@14 pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echorep keep state (if-bound) label "descr=ICMPv6 operation" ridentifier 1000000108
  [ Evaluations: 16        Packets: 0         Bytes: 0           States: 0     ]
  [ Source Nodes: 0      Limit: 0      NAT/RDR: 0      Route: 0      ]
  [ Inserted: uid 0 pid 0 State Creations: 0     ]
  [ Last Active Time: N/A ]
@15 pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state (if-bound) label "descr=ICMPv6 operation" ridentifier 1000000108
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Source Nodes: 0      Limit: 0      NAT/RDR: 0      Route: 0      ]
  [ Inserted: uid 0 pid 0 State Creations: 0     ]
  [ Last Active Time: N/A ]
@16 pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state (if-bound) label "descr=ICMPv6 operation" ridentifier 1000000108
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Source Nodes: 0      Limit: 0      NAT/RDR: 0      Route: 0      ]
  [ Inserted: uid 0 pid 0 State Creations: 0     ]
  [ Last Active Time: N/A ]
@17 pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state (if-bound) label "descr=ICMPv6 operation" ridentifier 1000000108
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Source Nodes: 0      Limit: 0      NAT/RDR: 0      Route: 0      ]
  [ Inserted: uid 0 pid 0 State Creations: 0     ]
  [ Last Active Time: N/A ]
@18 pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state (if-bound) label "descr=ICMPv6 operation" ridentifier 1000000108
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Source Nodes: 0      Limit: 0      NAT/RDR: 0      Route: 0      ]
  [ Inserted: uid 0 pid 0 State Creations: 0     ]
  [ Last Active Time: N/A ]
@19 pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echorep keep state (if-bound) label "descr=ICMPv6 operation" ridentifier 1000000109
  [ Evaluations: 12        Packets: 0         Bytes: 0           States: 0     ]
  [ Source Nodes: 0      Limit: 0      NAT/RDR: 0      Route: 0      ]
  [ Inserted: uid 0 pid 0 State Creations: 0     ]
  [ Last Active Time: N/A ]
@20 pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state (if-bound) label "descr=ICMPv6 operation" ridentifier 1000000109
  [ Evaluations: 12        Packets: 3         Bytes: 168         States: 0     ]
  [ Source Nodes: 0      Limit: 0      NAT/RDR: 0      Route: 0      ]
  [ Inserted: uid 0 pid 0 State Creations: 0     ]
  [ Last Active Time: N/A ]
@21 pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state (if-bound) label "descr=ICMPv6 operation" ridentifier 1000000109
  [ Evaluations: 9         Packets: 0         Bytes: 0           States: 0     ]
  [ Source Nodes: 0      Limit: 0      NAT/RDR: 0      Route: 0      ]
  [ Inserted: uid 0 pid 0 State Creations: 0     ]
  [ Last Active Time: N/A ]
@22 pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state (if-bound) label "descr=ICMPv6 operation" ridentifier 1000000109
  [ Evaluations: 9         Packets: 0         Bytes: 0           States: 0     ]
  [ Source Nodes: 0      Limit: 0      NAT/RDR: 0      Route: 0      ]
  [ Inserted: uid 0 pid 0 State Creations: 0     ]
  [ Last Active Time: N/A ]
@23 pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state (if-bound) label "descr=ICMPv6 operation" ridentifier 1000000109
  [ Evaluations: 9         Packets: 0         Bytes: 0           States: 0     ]
  [ Source Nodes: 0      Limit: 0      NAT/RDR: 0      Route: 0      ]
  [ Inserted: uid 0 pid 0 State Creations: 0     ]
  [ Last Active Time: N/A ]
@24 pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state (if-bound) label "descr=ICMPv6 operation" ridentifier 1000000110
  [ Evaluations: 13        Packets: 0         Bytes: 0           States: 0     ]
  [ Source Nodes: 0      Limit: 0      NAT/RDR: 0      Route: 0      ]
  [ Inserted: uid 0 pid 0 State Creations: 0     ]
  [ Last Active Time: N/A ]
@25 pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state (if-bound) label "descr=ICMPv6 operation" ridentifier 1000000110
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Source Nodes: 0      Limit: 0      NAT/RDR: 0      Route: 0      ]
  [ Inserted: uid 0 pid 0 State Creations: 0     ]
  [ Last Active Time: N/A ]
@26 pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state (if-bound) label "descr=ICMPv6 operation" ridentifier 1000000110
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Source Nodes: 0      Limit: 0      NAT/RDR: 0      Route: 0      ]
  [ Inserted: uid 0 pid 0 State Creations: 0     ]
  [ Last Active Time: N/A ]
@27 pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state (if-bound) label "descr=ICMPv6 operation" ridentifier 1000000110
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Source Nodes: 0      Limit: 0      NAT/RDR: 0      Route: 0      ]
  [ Inserted: uid 0 pid 0 State Creations: 0     ]
  [ Last Active Time: N/A ]
@28 pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state (if-bound) label "descr=ICMPv6 operation" ridentifier 1000000110
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Source Nodes: 0      Limit: 0      NAT/RDR: 0      Route: 0      ]
  [ Inserted: uid 0 pid 0 State Creations: 0     ]
  [ Last Active Time: N/A ]
@29 pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type echoreq keep state (if-bound) label "descr=ICMPv6 operation" ridentifier 1000000111
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Source Nodes: 0      Limit: 0      NAT/RDR: 0      Route: 0      ]
  [ Inserted: uid 0 pid 0 State Creations: 0     ]
  [ Last Active Time: N/A ]
@30 pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routersol keep state (if-bound) label "descr=ICMPv6 operation" ridentifier 1000000111
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Source Nodes: 0      Limit: 0      NAT/RDR: 0      Route: 0      ]
  [ Inserted: uid 0 pid 0 State Creations: 0     ]
  [ Last Active Time: N/A ]
@31 pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routeradv keep state (if-bound) label "descr=ICMPv6 operation" ridentifier 1000000111
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Source Nodes: 0      Limit: 0      NAT/RDR: 0      Route: 0      ]
  [ Inserted: uid 0 pid 0 State Creations: 0     ]
  [ Last Active Time: N/A ]
@32 pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbrsol keep state (if-bound) label "descr=ICMPv6 operation" ridentifier 1000000111
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Source Nodes: 0      Limit: 0      NAT/RDR: 0      Route: 0      ]
  [ Inserted: uid 0 pid 0 State Creations: 0     ]
  [ Last Active Time: N/A ]
@33 pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbradv keep state (if-bound) label "descr=ICMPv6 operation" ridentifier 1000000111
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Source Nodes: 0      Limit: 0      NAT/RDR: 0      Route: 0      ]
  [ Inserted: uid 0 pid 0 State Creations: 0     ]
  [ Last Active Time: N/A ]
@34 pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echoreq keep state (if-bound) label "descr=ICMPv6 operation" ridentifier 1000000112
  [ Evaluations: 4         Packets: 0         Bytes: 0           States: 0     ]
  [ Source Nodes: 0      Limit: 0      NAT/RDR: 0      Route: 0      ]
  [ Inserted: uid 0 pid 0 State Creations: 0     ]
  [ Last Active Time: N/A ]
@35 pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state (if-bound) label "descr=ICMPv6 operation" ridentifier 1000000112
  [ Evaluations: 4         Packets: 3         Bytes: 168         States: 0     ]
  [ Source Nodes: 0      Limit: 0      NAT/RDR: 0      Route: 0      ]
  [ Inserted: uid 0 pid 0 State Creations: 0     ]
  [ Last Active Time: N/A ]
@36 pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state (if-bound) label "descr=ICMPv6 operation" ridentifier 1000000112
  [ Evaluations: 1         Packets: 0         Bytes: 0           States: 0     ]
  [ Source Nodes: 0      Limit: 0      NAT/RDR: 0      Route: 0      ]
  [ Inserted: uid 0 pid 0 State Creations: 0     ]
  [ Last Active Time: N/A ]
@37 pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state (if-bound) label "descr=ICMPv6 operation" ridentifier 1000000112
  [ Evaluations: 1         Packets: 0         Bytes: 0           States: 0     ]
  [ Source Nodes: 0      Limit: 0      NAT/RDR: 0      Route: 0      ]
  [ Inserted: uid 0 pid 0 State Creations: 0     ]
  [ Last Active Time: N/A ]
@38 pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state (if-bound) label "descr=ICMPv6 operation" ridentifier 1000000112
  [ Evaluations: 1         Packets: 0         Bytes: 0           States: 0     ]
  [ Source Nodes: 0      Limit: 0      NAT/RDR: 0      Route: 0      ]
  [ Inserted: uid 0 pid 0 State Creations: 0     ]
  [ Last Active Time: N/A ]
@39 pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type echoreq keep state (if-bound) label "descr=ICMPv6 operation" ridentifier 1000000113
  [ Evaluations: 1         Packets: 0         Bytes: 0           States: 0     ]
  [ Source Nodes: 0      Limit: 0      NAT/RDR: 0      Route: 0      ]
  [ Inserted: uid 0 pid 0 State Creations: 0     ]
  [ Last Active Time: N/A ]
@40 pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type routersol keep state (if-bound) label "descr=ICMPv6 operation" ridentifier 1000000113
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Source Nodes: 0      Limit: 0      NAT/RDR: 0      Route: 0      ]
  [ Inserted: uid 0 pid 0 State Creations: 0     ]
  [ Last Active Time: N/A ]
@41 pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type routeradv keep state (if-bound) label "descr=ICMPv6 operation" ridentifier 1000000113
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Source Nodes: 0      Limit: 0      NAT/RDR: 0      Route: 0      ]
  [ Inserted: uid 0 pid 0 State Creations: 0     ]
  [ Last Active Time: N/A ]
@42 pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type neighbrsol keep state (if-bound) label "descr=ICMPv6 operation" ridentifier 1000000113
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Source Nodes: 0      Limit: 0      NAT/RDR: 0      Route: 0      ]
  [ Inserted: uid 0 pid 0 State Creations: 0     ]
  [ Last Active Time: N/A ]
@43 pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type neighbradv keep state (if-bound) label "descr=ICMPv6 operation" ridentifier 1000000113
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Source Nodes: 0      Limit: 0      NAT/RDR: 0      Route: 0      ]
  [ Inserted: uid 0 pid 0 State Creations: 0     ]
  [ Last Active Time: N/A ]
@44 block drop log quick inet proto tcp from any port = 0 to any label "descr=Block traffic from port 0" ridentifier 1000000114
  [ Evaluations: 5105      Packets: 0         Bytes: 0           States: 0     ]
  [ Source Nodes: 0      Limit: 0      NAT/RDR: 0      Route: 0      ]
  [ Inserted: uid 0 pid 0 State Creations: 0     ]
  [ Last Active Time: N/A ]
@45 block drop log quick inet proto udp from any port = 0 to any label "descr=Block traffic from port 0" ridentifier 1000000114
  [ Evaluations: 4965      Packets: 0         Bytes: 0           States: 0     ]
  [ Source Nodes: 0      Limit: 0      NAT/RDR: 0      Route: 0      ]
  [ Inserted: uid 0 pid 0 State Creations: 0     ]
  [ Last Active Time: N/A ]
@46 block drop log quick inet proto tcp from any to any port = 0 label "descr=Block traffic to port 0" ridentifier 1000000115
  [ Evaluations: 5052      Packets: 0         Bytes: 0           States: 0     ]
  [ Source Nodes: 0      Limit: 0      NAT/RDR: 0      Route: 0      ]
  [ Inserted: uid 0 pid 0 State Creations: 0     ]
  [ Last Active Time: N/A ]
@47 block drop log quick inet proto udp from any to any port = 0 label "descr=Block traffic to port 0" ridentifier 1000000115
  [ Evaluations: 4965      Packets: 0         Bytes: 0           States: 0     ]
  [ Source Nodes: 0      Limit: 0      NAT/RDR: 0      Route: 0      ]
  [ Inserted: uid 0 pid 0 State Creations: 0     ]
  [ Last Active Time: N/A ]
@48 block drop log quick inet6 proto tcp from any port = 0 to any label "descr=Block traffic from port 0" ridentifier 1000000116
  [ Evaluations: 5105      Packets: 0         Bytes: 0           States: 0     ]
  [ Source Nodes: 0      Limit: 0      NAT/RDR: 0      Route: 0      ]
  [ Inserted: uid 0 pid 0 State Creations: 0     ]
  [ Last Active Time: N/A ]
@49 block drop log quick inet6 proto udp from any port = 0 to any label "descr=Block traffic from port 0" ridentifier 1000000116
  [ Evaluations: 53        Packets: 0         Bytes: 0           States: 0     ]
  [ Source Nodes: 0      Limit: 0      NAT/RDR: 0      Route: 0      ]
  [ Inserted: uid 0 pid 0 State Creations: 0     ]
  [ Last Active Time: N/A ]
@50 block drop log quick inet6 proto tcp from any to any port = 0 label "descr=Block traffic to port 0" ridentifier 1000000117
  [ Evaluations: 53        Packets: 0         Bytes: 0           States: 0     ]
  [ Source Nodes: 0      Limit: 0      NAT/RDR: 0      Route: 0      ]
  [ Inserted: uid 0 pid 0 State Creations: 0     ]
  [ Last Active Time: N/A ]
@51 block drop log quick inet6 proto udp from any to any port = 0 label "descr=Block traffic to port 0" ridentifier 1000000117
  [ Evaluations: 53        Packets: 0         Bytes: 0           States: 0     ]
  [ Source Nodes: 0      Limit: 0      NAT/RDR: 0      Route: 0      ]
  [ Inserted: uid 0 pid 0 State Creations: 0     ]
  [ Last Active Time: N/A ]
@52 block drop log quick from <snort2c:0> to any label "descr=Block snort2c hosts" ridentifier 1000000118
  [ Evaluations: 5105      Packets: 0         Bytes: 0           States: 0     ]
  [ Source Nodes: 0      Limit: 0      NAT/RDR: 0      Route: 0      ]
  [ Inserted: uid 0 pid 0 State Creations: 0     ]
  [ Last Active Time: N/A ]
@53 block drop log quick from any to <snort2c:0> label "descr=Block snort2c hosts" ridentifier 1000000119
  [ Evaluations: 5105      Packets: 0         Bytes: 0           States: 0     ]
  [ Source Nodes: 0      Limit: 0      NAT/RDR: 0      Route: 0      ]
  [ Inserted: uid 0 pid 0 State Creations: 0     ]
  [ Last Active Time: N/A ]
@54 block drop in log quick proto carp from (self:9) to any label "descr=CARP operation" ridentifier 1000000201
  [ Evaluations: 5105      Packets: 0         Bytes: 0           States: 0     ]
  [ Source Nodes: 0      Limit: 0      NAT/RDR: 0      Route: 0      ]
  [ Inserted: uid 0 pid 0 State Creations: 0     ]
  [ Last Active Time: N/A ]
@55 pass quick proto carp all no state label "descr=CARP operation" ridentifier 1000000202
  [ Evaluations: 4963      Packets: 4526      Bytes: 253456      States: 0     ]
  [ Source Nodes: 0      Limit: 0      NAT/RDR: 0      Route: 0      ]
  [ Inserted: uid 0 pid 0 State Creations: 0     ]
  [ Last Active Time: Fri Jun  5 11:50:06 2026 ]
@56 block drop in log quick proto tcp from <sshguard:0> to (self:9) port = ssh label "descr=sshguard" ridentifier 1000000301
  [ Evaluations: 579       Packets: 0         Bytes: 0           States: 0     ]
  [ Source Nodes: 0      Limit: 0      NAT/RDR: 0      Route: 0      ]
  [ Inserted: uid 0 pid 0 State Creations: 0     ]
  [ Last Active Time: N/A ]
@57 block drop in log quick proto tcp from <sshguard:0> to (self:9) port = https label "descr=GUI Lockout" ridentifier 1000000351
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Source Nodes: 0      Limit: 0      NAT/RDR: 0      Route: 0      ]
  [ Inserted: uid 0 pid 0 State Creations: 0     ]
  [ Last Active Time: N/A ]
@58 block drop in log quick from <virusprot:0> to any label "descr=virusprot overload table" ridentifier 1000000400
  [ Evaluations: 142       Packets: 0         Bytes: 0           States: 0     ]
  [ Source Nodes: 0      Limit: 0      NAT/RDR: 0      Route: 0      ]
  [ Inserted: uid 0 pid 0 State Creations: 0     ]
  [ Last Active Time: N/A ]
@59 block drop out quick proto udp from any port = bootps to any port = bootpc label "descr=Prevent routing dhcp responses" ridentifier 1000000451 tagged dhcpin
  [ Evaluations: 579       Packets: 0         Bytes: 0           States: 0     ]
  [ Source Nodes: 0      Limit: 0      NAT/RDR: 0      Route: 0      ]
  [ Inserted: uid 0 pid 0 State Creations: 0     ]
  [ Last Active Time: N/A ]
@60 pass in quick on em0 proto udp from any port = bootps to any port = bootpc no state label "descr=allow dhcp replies in WAN" ridentifier 1000000461 tag dhcpin
  [ Evaluations: 142       Packets: 4         Bytes: 1288        States: 0     ]
  [ Source Nodes: 0      Limit: 0      NAT/RDR: 0      Route: 0      ]
  [ Inserted: uid 0 pid 0 State Creations: 0     ]
  [ Last Active Time: N/A ]
@61 pass out quick on em0 proto udp from any port = bootpc to any port = bootps no state label "descr=allow dhcp client out WAN" ridentifier 1000000462
  [ Evaluations: 351       Packets: 0         Bytes: 0           States: 0     ]
  [ Source Nodes: 0      Limit: 0      NAT/RDR: 0      Route: 0      ]
  [ Inserted: uid 0 pid 0 State Creations: 0     ]
  [ Last Active Time: N/A ]
@62 pass in quick on em0 inet6 proto udp from fe80::/10 port = dhcpv6-client to fe80::/10 port = dhcpv6-client keep state (if-bound) label "descr=allow dhcpv6 client in WAN" ridentifier 1000000463
  [ Evaluations: 319       Packets: 0         Bytes: 0           States: 0     ]
  [ Source Nodes: 0      Limit: 0      NAT/RDR: 0      Route: 0      ]
  [ Inserted: uid 0 pid 0 State Creations: 0     ]
  [ Last Active Time: N/A ]
@63 pass in quick on em0 proto udp from any port = dhcpv6-server to any port = dhcpv6-client keep state (if-bound) label "descr=allow dhcpv6 client in WAN" ridentifier 1000000464
  [ Evaluations: 9         Packets: 0         Bytes: 0           States: 0     ]
  [ Source Nodes: 0      Limit: 0      NAT/RDR: 0      Route: 0      ]
  [ Inserted: uid 0 pid 0 State Creations: 0     ]
  [ Last Active Time: N/A ]
@64 pass out quick on em0 proto udp from any port = dhcpv6-client to any port = dhcpv6-server keep state (if-bound) label "descr=allow dhcpv6 client out WAN" ridentifier 1000000465
  [ Evaluations: 319       Packets: 20        Bytes: 2320        States: 1     ]
  [ Source Nodes: 0      Limit: 0      NAT/RDR: 0      Route: 0      ]
  [ Inserted: uid 0 pid 0 State Creations: 6     ]
  [ Last Active Time: Fri Jun  5 11:49:57 2026 ]
@65 block drop in log on ! em0 inet from 192.168.254.0/24 to any label "descr=antispoof protection" ridentifier 1000001471
  [ Evaluations: 87        Packets: 0         Bytes: 0           States: 0     ]
  [ Source Nodes: 0      Limit: 0      NAT/RDR: 0      Route: 0      ]
  [ Inserted: uid 0 pid 0 State Creations: 0     ]
  [ Last Active Time: N/A ]
@66 block drop in log on ! em0 inet from 192.168.254.33 to any label "descr=antispoof protection" ridentifier 1000001471
  [ Evaluations: 5         Packets: 0         Bytes: 0           States: 0     ]
  [ Source Nodes: 0      Limit: 0      NAT/RDR: 0      Route: 0      ]
  [ Inserted: uid 0 pid 0 State Creations: 0     ]
  [ Last Active Time: N/A ]
@67 block drop in log on ! em0 inet from 192.168.254.34 to any label "descr=antispoof protection" ridentifier 1000001471
  [ Evaluations: 5         Packets: 0         Bytes: 0           States: 0     ]
  [ Source Nodes: 0      Limit: 0      NAT/RDR: 0      Route: 0      ]
  [ Inserted: uid 0 pid 0 State Creations: 0     ]
  [ Last Active Time: N/A ]
@68 block drop in log on em0 inet6 from fe80::a00:27ff:feba:b855 to any label "descr=antispoof protection" ridentifier 1000001471
  [ Evaluations: 74        Packets: 0         Bytes: 0           States: 0     ]
  [ Source Nodes: 0      Limit: 0      NAT/RDR: 0      Route: 0      ]
  [ Inserted: uid 0 pid 0 State Creations: 0     ]
  [ Last Active Time: N/A ]
@69 block drop in log inet from 192.168.254.26 to any label "descr=antispoof protection" ridentifier 1000001471
  [ Evaluations: 21        Packets: 0         Bytes: 0           States: 0     ]
  [ Source Nodes: 0      Limit: 0      NAT/RDR: 0      Route: 0      ]
  [ Inserted: uid 0 pid 0 State Creations: 0     ]
  [ Last Active Time: N/A ]
@70 block drop in log inet from 192.168.254.33 to any label "descr=antispoof protection" ridentifier 1000001471
  [ Evaluations: 13        Packets: 0         Bytes: 0           States: 0     ]
  [ Source Nodes: 0      Limit: 0      NAT/RDR: 0      Route: 0      ]
  [ Inserted: uid 0 pid 0 State Creations: 0     ]
  [ Last Active Time: N/A ]
@71 block drop in log inet from 192.168.254.34 to any label "descr=antispoof protection" ridentifier 1000001471
  [ Evaluations: 13        Packets: 0         Bytes: 0           States: 0     ]
  [ Source Nodes: 0      Limit: 0      NAT/RDR: 0      Route: 0      ]
  [ Inserted: uid 0 pid 0 State Creations: 0     ]
  [ Last Active Time: N/A ]
@72 pass in on lo0 inet all flags S/SA keep state (if-bound) label "descr=pass IPv4 loopback" ridentifier 1000003611
  [ Evaluations: 146       Packets: 178       Bytes: 32635       States: 0     ]
  [ Source Nodes: 0      Limit: 0      NAT/RDR: 0      Route: 0      ]
  [ Inserted: uid 0 pid 0 State Creations: 1     ]
  [ Last Active Time: Fri Jun  5 11:40:00 2026 ]
@73 pass out on lo0 inet all flags S/SA keep state (if-bound) label "descr=pass IPv4 loopback" ridentifier 1000003612
  [ Evaluations: 444       Packets: 0         Bytes: 0           States: 0     ]
  [ Source Nodes: 0      Limit: 0      NAT/RDR: 0      Route: 0      ]
  [ Inserted: uid 0 pid 0 State Creations: 0     ]
  [ Last Active Time: N/A ]
@74 pass in on lo0 inet6 all flags S/SA keep state (if-bound) label "descr=pass IPv6 loopback" ridentifier 1000003613
  [ Evaluations: 139       Packets: 24        Bytes: 2672        States: 1     ]
  [ Source Nodes: 0      Limit: 0      NAT/RDR: 0      Route: 0      ]
  [ Inserted: uid 0 pid 0 State Creations: 6     ]
  [ Last Active Time: Fri Jun  5 11:49:57 2026 ]
@75 pass out on lo0 inet6 all flags S/SA keep state (if-bound) label "descr=pass IPv6 loopback" ridentifier 1000003614
  [ Evaluations: 80        Packets: 0         Bytes: 0           States: 0     ]
  [ Source Nodes: 0      Limit: 0      NAT/RDR: 0      Route: 0      ]
  [ Inserted: uid 0 pid 0 State Creations: 0     ]
  [ Last Active Time: N/A ]
@76 pass out inet all flags S/SA keep state (if-bound) allow-opts label "descr=let out anything IPv4 from firewall host itself" ridentifier 1000003615
  [ Evaluations: 530       Packets: 1626      Bytes: 75049       States: 0     ]
  [ Source Nodes: 0      Limit: 0      NAT/RDR: 0      Route: 0      ]
  [ Inserted: uid 0 pid 0 State Creations: 1     ]
  [ Last Active Time: Fri Jun  5 11:40:00 2026 ]
@77 pass out inet6 all flags S/SA keep state (if-bound) allow-opts label "descr=let out anything IPv6 from firewall host itself" ridentifier 1000003616
  [ Evaluations: 418       Packets: 6         Bytes: 524         States: 0     ]
  [ Source Nodes: 0      Limit: 0      NAT/RDR: 0      Route: 0      ]
  [ Inserted: uid 0 pid 0 State Creations: 0     ]
  [ Last Active Time: N/A ]
@78 pass out route-to (em0 192.168.254.10) inet from 192.168.254.26 to ! 192.168.254.0/24 flags S/SA keep state (if-bound) allow-opts label "descr=let out anything from firewall host itself" ridentifier 1000003711
  [ Evaluations: 66        Packets: 88        Bytes: 22565       States: 2     ]
  [ Source Nodes: 0      Limit: 0      NAT/RDR: 0      Route: 0      ]
  [ Inserted: uid 0 pid 0 State Creations: 22    ]
  [ Last Active Time: Fri Jun  5 11:49:57 2026 ]
@79 pass out route-to (em0 192.168.254.10) inet from 192.168.254.33 to ! 192.168.254.0/24 flags S/SA keep state (if-bound) allow-opts label "descr=let out anything from firewall host itself" ridentifier 1000003712
  [ Evaluations: 57        Packets: 0         Bytes: 0           States: 0     ]
  [ Source Nodes: 0      Limit: 0      NAT/RDR: 0      Route: 0      ]
  [ Inserted: uid 0 pid 0 State Creations: 0     ]
  [ Last Active Time: N/A ]
@80 pass out route-to (em0 192.168.254.10) inet from 192.168.254.34 to ! 192.168.254.0/24 flags S/SA keep state (if-bound) allow-opts label "descr=let out anything from firewall host itself" ridentifier 1000003713
  [ Evaluations: 57        Packets: 0         Bytes: 0           States: 0     ]
  [ Source Nodes: 0      Limit: 0      NAT/RDR: 0      Route: 0      ]
  [ Inserted: uid 0 pid 0 State Creations: 0     ]
  [ Last Active Time: N/A ]
@81 pass out on enc0 all flags S/SA keep state label "descr=IPsec internal host to host" ridentifier 1000004012
  [ Evaluations: 418       Packets: 0         Bytes: 0           States: 0     ]
  [ Source Nodes: 0      Limit: 0      NAT/RDR: 0      Route: 0      ]
  [ Inserted: uid 0 pid 0 State Creations: 0     ]
  [ Last Active Time: N/A ]
@82 pass out on ipsec1 all flags S/SA keep state label "descr=IPsec VTI floating states" ridentifier 1000004013
  [ Evaluations: 418       Packets: 777       Bytes: 23357       States: 0     ]
  [ Source Nodes: 0      Limit: 0      NAT/RDR: 0      Route: 0      ]
  [ Inserted: uid 0 pid 0 State Creations: 1     ]
  [ Last Active Time: Fri Jun  5 11:40:01 2026 ]
@83 anchor "userrules/*" all
  [ Evaluations: 551       Packets: 0         Bytes: 0           States: 0     ]
  [ Source Nodes: 0      Limit: 0      NAT/RDR: 0      Route: 0      ]
  [ Inserted: uid 0 pid 0 State Creations: 0     ]
  [ Last Active Time: N/A ]
@84 pass in quick on em0 reply-to (em0 192.168.254.10) inet all flags S/SA keep state (if-bound) label "id=1778676401" label "tags=user_rule" ridentifier 1778676401
  [ Evaluations: 87        Packets: 451       Bytes: 231728      States: 0     ]
  [ Source Nodes: 0      Limit: 0      NAT/RDR: 0      Route: 0      ]
  [ Inserted: uid 0 pid 0 State Creations: 0     ]
  [ Last Active Time: N/A ]
@85 pass out inet proto udp from (self:5) to 192.168.254.21 port = isakmp keep state (if-bound) label "descr=IPsec: 192.168.254.21 - outbound isakmp" ridentifier 1000104151
  [ Evaluations: 63        Packets: 7         Bytes: 2060        States: 0     ]
  [ Source Nodes: 0      Limit: 0      NAT/RDR: 0      Route: 0      ]
  [ Inserted: uid 0 pid 0 State Creations: 0     ]
  [ Last Active Time: N/A ]
@86 pass in on em0 inet proto udp from 192.168.254.21 to (self:5) port = isakmp keep state (if-bound) label "descr=IPsec: 192.168.254.21 - inbound isakmp" ridentifier 1000104152
  [ Evaluations: 49        Packets: 0         Bytes: 0           States: 0     ]
  [ Source Nodes: 0      Limit: 0      NAT/RDR: 0      Route: 0      ]
  [ Inserted: uid 0 pid 0 State Creations: 0     ]
  [ Last Active Time: N/A ]
@87 pass out inet proto udp from (self:5) to 192.168.254.21 port = ipsec-nat-t keep state (if-bound) label "descr=IPsec: 192.168.254.21 - outbound nat-t" ridentifier 1000104153
  [ Evaluations: 49        Packets: 0         Bytes: 0           States: 0     ]
  [ Source Nodes: 0      Limit: 0      NAT/RDR: 0      Route: 0      ]
  [ Inserted: uid 0 pid 0 State Creations: 0     ]
  [ Last Active Time: N/A ]
@88 pass in on em0 inet proto udp from 192.168.254.21 to (self:5) port = ipsec-nat-t keep state (if-bound) label "descr=IPsec: 192.168.254.21 - inbound nat-t" ridentifier 1000104154
  [ Evaluations: 48        Packets: 0         Bytes: 0           States: 0     ]
  [ Source Nodes: 0      Limit: 0      NAT/RDR: 0      Route: 0      ]
  [ Inserted: uid 0 pid 0 State Creations: 0     ]
  [ Last Active Time: N/A ]
@89 pass out inet proto esp from (self:5) to 192.168.254.21 keep state (if-bound) label "descr=IPsec: 192.168.254.21 - outbound esp proto" ridentifier 1000104155
  [ Evaluations: 61        Packets: 45        Bytes: 3868        States: 0     ]
  [ Source Nodes: 0      Limit: 0      NAT/RDR: 0      Route: 0      ]
  [ Inserted: uid 0 pid 0 State Creations: 0     ]
  [ Last Active Time: N/A ]
@90 pass in on em0 inet proto esp from 192.168.254.21 to (self:5) keep state (if-bound) label "descr=IPsec: 192.168.254.21 - inbound esp proto" ridentifier 1000104156
  [ Evaluations: 12        Packets: 0         Bytes: 0           States: 0     ]
  [ Source Nodes: 0      Limit: 0      NAT/RDR: 0      Route: 0      ]
  [ Inserted: uid 0 pid 0 State Creations: 0     ]
  [ Last Active Time: N/A ]
@91 anchor "tftp-proxy/*" all
  [ Evaluations: 506       Packets: 0         Bytes: 0           States: 0     ]
  [ Source Nodes: 0      Limit: 0      NAT/RDR: 0      Route: 0      ]
  [ Inserted: uid 0 pid 0 State Creations: 0     ]
  [ Last Active Time: N/A ]
