TRANSLATION RULES:
no nat proto carp all
nat-anchor "natearly/*" all
nat-anchor "natrules/*" all
nat on mvneta2 inet from 127.0.0.0/8 to any port = isakmp -> (mvneta2) round-robin static-port
nat on mvneta2 inet from 192.168.1.0/24 to any port = isakmp -> (mvneta2) round-robin static-port
nat on mvneta2 inet6 from ::1 to any port = isakmp -> (mvneta2) round-robin static-port
nat on mvneta2 inet from 127.0.0.0/8 to any -> (mvneta2) port 1024:65535 round-robin
nat on mvneta2 inet from 192.168.1.0/24 to any -> (mvneta2) port 1024:65535 round-robin
nat on mvneta2 inet6 from ::1 to any -> (mvneta2) port 1024:65535 round-robin
no rdr proto carp all
rdr-anchor "tftp-proxy/*" all
rdr-anchor "miniupnpd" all

FILTER RULES:
scrub on mvneta2 all fragment reassemble
scrub on mvneta1 all fragment reassemble
anchor "openvpn/*" all
anchor "ipsec/*" all
block drop in log quick inet from 169.254.0.0/16 to any label "Block IPv4 link-local"
block drop in log quick inet from any to 169.254.0.0/16 label "Block IPv4 link-local"
block drop in log inet all label "Default deny rule IPv4"
block drop out log inet all label "Default deny rule IPv4"
block drop in log inet6 all label "Default deny rule IPv6"
block drop out log inet6 all label "Default deny rule IPv6"
pass quick inet6 proto ipv6-icmp all icmp6-type unreach keep state
pass quick inet6 proto ipv6-icmp all icmp6-type toobig keep state
pass quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state
pass quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echorep keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echorep keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type echoreq keep state
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routersol keep state
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routeradv keep state
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbrsol keep state
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbradv keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echoreq keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state
pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type echoreq keep state
pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type routersol keep state
pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type routeradv keep state
pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type neighbrsol keep state
pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type neighbradv keep state
block drop log quick inet proto tcp from any port = 0 to any label "Block traffic from port 0"
block drop log quick inet proto udp from any port = 0 to any label "Block traffic from port 0"
block drop log quick inet proto tcp from any to any port = 0 label "Block traffic to port 0"
block drop log quick inet proto udp from any to any port = 0 label "Block traffic to port 0"
block drop log quick inet6 proto tcp from any port = 0 to any label "Block traffic from port 0"
block drop log quick inet6 proto udp from any port = 0 to any label "Block traffic from port 0"
block drop log quick inet6 proto tcp from any to any port = 0 label "Block traffic to port 0"
block drop log quick inet6 proto udp from any to any port = 0 label "Block traffic to port 0"
block drop log quick from <snort2c> to any label "Block snort2c hosts"
block drop log quick from any to <snort2c> label "Block snort2c hosts"
block drop in log quick proto tcp from <sshguard> to (self) port = ssh label "sshguard"
block drop in log quick proto tcp from <sshguard> to (self) port = https label "GUI Lockout"
block drop in log quick from <virusprot> to any label "virusprot overload table"
pass in quick on mvneta2 proto udp from any port = bootps to any port = bootpc keep state label "allow dhcp client out WAN"
pass out quick on mvneta2 proto udp from any port = bootpc to any port = bootps keep state label "allow dhcp client out WAN"
block drop in log on mvneta1 inet6 from fe80::208:a2ff:fe0d:b7d7 to any
block drop in log on mvneta1 inet6 from fe80::1:1 to any
block drop in log on ! mvneta1 inet from 192.168.1.0/24 to any
block drop in log inet from 192.168.1.1 to any
pass in quick on mvneta1 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
pass in quick on mvneta1 inet proto udp from any port = bootpc to 192.168.1.1 port = bootps keep state label "allow access to DHCP server"
pass out quick on mvneta1 inet proto udp from 192.168.1.1 port = bootps to any port = bootpc keep state label "allow access to DHCP server"
pass quick on mvneta1 inet6 proto udp from fe80::/10 to fe80::/10 port = dhcpv6-client keep state label "allow access to DHCPv6 server"
pass quick on mvneta1 inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-client keep state label "allow access to DHCPv6 server"
pass quick on mvneta1 inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-server keep state label "allow access to DHCPv6 server"
pass quick on mvneta1 inet6 proto udp from ff02::/16 to fe80::/10 port = dhcpv6-server keep state label "allow access to DHCPv6 server"
pass in on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
pass out on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
pass in on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
pass out on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
pass out inet all flags S/SA keep state allow-opts label "let out anything IPv4 from firewall host itself"
pass out inet6 all flags S/SA keep state allow-opts label "let out anything IPv6 from firewall host itself"
pass in quick on mvneta1 proto tcp from any to (mvneta1) port = https flags S/SA keep state label "anti-lockout rule"
pass in quick on mvneta1 proto tcp from any to (mvneta1) port = http flags S/SA keep state label "anti-lockout rule"
anchor "userrules/*" all
pass in quick on mvneta1 inet from 192.168.1.0/24 to any flags S/SA keep state label "USER_RULE: Default allow LAN to any rule"
anchor "tftp-proxy/*" all
No queue in use

STATES:
mvneta1 tcp 192.168.1.1:443 <- 192.168.1.101:54526       ESTABLISHED:ESTABLISHED
lo0 ipv6-icmp ff02::1[16448] <- fe80::208:a2ff:fe0d:b7d7[16448]       NO_TRAFFIC:NO_TRAFFIC
mvneta1 ipv6-icmp fe80::208:a2ff:fe0d:b7d7[16448] -> ff02::1[16448]       NO_TRAFFIC:NO_TRAFFIC
mvneta1 ipv6-icmp fe80::208:a2ff:fe0d:b7d7 -> ff02::16       NO_TRAFFIC:NO_TRAFFIC
lo0 udp 127.0.0.1:53 <- 127.0.0.1:37999       SINGLE:MULTIPLE
lo0 udp 127.0.0.1:37999 -> 127.0.0.1:53       MULTIPLE:SINGLE
lo0 udp 127.0.0.1:53 <- 127.0.0.1:55114       SINGLE:MULTIPLE
lo0 udp 127.0.0.1:55114 -> 127.0.0.1:53       MULTIPLE:SINGLE
lo0 udp 127.0.0.1:59504 -> 127.0.0.1:53       MULTIPLE:SINGLE
lo0 udp 127.0.0.1:43811 -> 127.0.0.1:53       MULTIPLE:SINGLE
lo0 udp 127.0.0.1:53 <- 127.0.0.1:58357       SINGLE:MULTIPLE
lo0 udp 127.0.0.1:53 <- 127.0.0.1:43811       SINGLE:MULTIPLE
lo0 udp 127.0.0.1:21915 -> 127.0.0.1:53       MULTIPLE:SINGLE
lo0 udp 127.0.0.1:53 <- 127.0.0.1:59504       SINGLE:MULTIPLE
lo0 udp 127.0.0.1:43515 -> 127.0.0.1:53       MULTIPLE:SINGLE
lo0 udp 127.0.0.1:58357 -> 127.0.0.1:53       MULTIPLE:SINGLE
lo0 udp 127.0.0.1:53 <- 127.0.0.1:43515       SINGLE:MULTIPLE
lo0 udp 127.0.0.1:53 <- 127.0.0.1:21915       SINGLE:MULTIPLE
lo0 udp 127.0.0.1:53 <- 127.0.0.1:57672       SINGLE:MULTIPLE
lo0 udp 127.0.0.1:57672 -> 127.0.0.1:53       MULTIPLE:SINGLE

INFO:
Status: Enabled for 0 days 00:03:43           Debug: Urgent

Interface Stats for mvneta1           IPv4             IPv6
  Bytes In                           33831             2990
  Bytes Out                         396664             4908
  Packets In
    Passed                             328                8
    Blocked                              0                7
  Packets Out
    Passed                             403               57
    Blocked                              0                0

State Table                          Total             Rate
  current entries                       20               
  searches                            2130            9.6/s
  inserts                              674            3.0/s
  removals                             654            2.9/s
Counters
  match                                682            3.1/s
  bad-offset                             0            0.0/s
  fragment                               0            0.0/s
  short                                  0            0.0/s
  normalize                              0            0.0/s
  memory                                 0            0.0/s
  bad-timestamp                          0            0.0/s
  congestion                             0            0.0/s
  ip-option                              0            0.0/s
  proto-cksum                            0            0.0/s
  state-mismatch                         0            0.0/s
  state-insert                           0            0.0/s
  state-limit                            0            0.0/s
  src-limit                              0            0.0/s
  synproxy                               0            0.0/s
  map-failed                             0            0.0/s

LABEL COUNTERS:
Block IPv4 link-local 196 0 0 0 0 0 0 0
Block IPv4 link-local 96 0 0 0 0 0 0 0
Default deny rule IPv4 96 0 0 0 0 0 0 0
Default deny rule IPv4 195 0 0 0 0 0 0 0
Default deny rule IPv6 196 0 0 0 0 0 0 0
Default deny rule IPv6 100 0 0 0 0 0 0 0
Block traffic from port 0 194 0 0 0 0 0 0 0
Block traffic from port 0 194 0 0 0 0 0 0 0
Block traffic to port 0 192 0 0 0 0 0 0 0
Block traffic to port 0 192 0 0 0 0 0 0 0
Block traffic from port 0 194 0 0 0 0 0 0 0
Block traffic from port 0 194 0 0 0 0 0 0 0
Block traffic to port 0 2 0 0 0 0 0 0 0
Block traffic to port 0 2 0 0 0 0 0 0 0
Block snort2c hosts 194 0 0 0 0 0 0 0
Block snort2c hosts 194 0 0 0 0 0 0 0
sshguard 194 0 0 0 0 0 0 0
GUI Lockout 0 0 0 0 0 0 0 0
virusprot overload table 342 0 0 0 0 0 0 0
allow dhcp client out WAN 0 0 0 0 0 0 0 0
allow dhcp client out WAN 0 0 0 0 0 0 0 0
allow access to DHCP server 96 0 0 0 0 0 0 0
allow access to DHCP server 0 0 0 0 0 0 0 0
allow access to DHCP server 98 0 0 0 0 0 0 0
allow access to DHCPv6 server 2 0 0 0 0 0 0 0
allow access to DHCPv6 server 0 0 0 0 0 0 0 0
allow access to DHCPv6 server 0 0 0 0 0 0 0 0
allow access to DHCPv6 server 0 0 0 0 0 0 0 0
pass IPv4 loopback 194 192 13792 96 6896 96 6896 0
pass IPv4 loopback 192 0 0 0 0 0 0 0
pass IPv6 loopback 192 0 0 0 0 0 0 0
pass IPv6 loopback 96 0 0 0 0 0 0 0
let out anything IPv4 from firewall host itself 194 192 13792 96 6896 96 6896 0
let out anything IPv6 from firewall host itself 98 6 456 0 0 6 456 0
anti-lockout rule 673 199 83485 97 11380 102 72105 0
anti-lockout rule 673 199 83485 97 11380 102 72105 0
USER_RULE: Default allow LAN to any rule 666 6 1765 6 1765 0 0 0

TIMEOUTS:
tcp.first                   120s
tcp.opening                  30s
tcp.established           86400s
tcp.closing                 900s
tcp.finwait                  45s
tcp.closed                   90s
tcp.tsdiff                   30s
udp.first                    60s
udp.single                   30s
udp.multiple                 60s
icmp.first                   20s
icmp.error                   10s
other.first                  60s
other.single                 30s
other.multiple               60s
frag                         30s
interval                     10s
adaptive.start           121200 states
adaptive.end             242400 states
src.track                     0s

LIMITS:
states        hard limit   202000
src-nodes     hard limit   202000
frags         hard limit     5000
table-entries hard limit   400000

TABLES:
bogons
snort2c
sshguard
virusprot

OS FINGERPRINTS:
762 fingerprints loaded
