[22.05-RELEASE][admin@6100-2.stevew.lan]/root: pfctl -sr
scrub on ix3 inet all fragment reassemble
scrub on ix3 inet6 all fragment reassemble
scrub on igc0 inet all fragment reassemble
scrub on igc0 inet6 all fragment reassemble
scrub on ix2 inet all fragment reassemble
scrub on ix2 inet6 all fragment reassemble
scrub on ix0 inet all fragment reassemble
scrub on ix0 inet6 all fragment reassemble
scrub on ix1 inet all fragment reassemble
scrub on ix1 inet6 all fragment reassemble
scrub on igc1 inet all fragment reassemble
scrub on igc1 inet6 all fragment reassemble
scrub on igc2 inet all fragment reassemble
scrub on igc2 inet6 all fragment reassemble
scrub on igc3 inet all fragment reassemble
scrub on igc3 inet6 all fragment reassemble
scrub on ath0_wlan0 inet all fragment reassemble
scrub on ath0_wlan0 inet6 all fragment reassemble
anchor "openvpn/*" all
anchor "ipsec/*" all
block drop in log quick inet from 169.254.0.0/16 to any label "Block IPv4 link-local" ridentifier 1000000101
block drop in log quick inet from any to 169.254.0.0/16 label "Block IPv4 link-local" ridentifier 1000000102
block drop in log inet all label "Default deny rule IPv4" ridentifier 1000000103
block drop out log inet all label "Default deny rule IPv4" ridentifier 1000000104
block drop in log inet6 all label "Default deny rule IPv6" ridentifier 1000000105
block drop out log inet6 all label "Default deny rule IPv6" ridentifier 1000000106
pass quick inet6 proto ipv6-icmp all icmp6-type unreach keep state ridentifier 1000000107
pass quick inet6 proto ipv6-icmp all icmp6-type toobig keep state ridentifier 1000000107
pass quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state ridentifier 1000000107
pass quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep state ridentifier 1000000107
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echorep keep state ridentifier 1000000108
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state ridentifier 1000000108
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state ridentifier 1000000108
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state ridentifier 1000000108
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state ridentifier 1000000108
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echorep keep state ridentifier 1000000109
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state ridentifier 1000000109
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state ridentifier 1000000109
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state ridentifier 1000000109
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state ridentifier 1000000109
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state ridentifier 1000000110
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state ridentifier 1000000110
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state ridentifier 1000000110
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state ridentifier 1000000110
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state ridentifier 1000000110
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type echoreq keep state ridentifier 1000000111
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routersol keep state ridentifier 1000000111
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routeradv keep state ridentifier 1000000111
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbrsol keep state ridentifier 1000000111
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbradv keep state ridentifier 1000000111
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echoreq keep state ridentifier 1000000112
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state ridentifier 1000000112
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state ridentifier 1000000112
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state ridentifier 1000000112
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state ridentifier 1000000112
pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type echoreq keep state ridentifier 1000000113
pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type routersol keep state ridentifier 1000000113
pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type routeradv keep state ridentifier 1000000113
pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type neighbrsol keep state ridentifier 1000000113
pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type neighbradv keep state ridentifier 1000000113
block drop log quick inet proto tcp from any port = 0 to any label "Block traffic from port 0" ridentifier 1000000114
block drop log quick inet proto udp from any port = 0 to any label "Block traffic from port 0" ridentifier 1000000114
block drop log quick inet proto tcp from any to any port = 0 label "Block traffic to port 0" ridentifier 1000000115
block drop log quick inet proto udp from any to any port = 0 label "Block traffic to port 0" ridentifier 1000000115
block drop log quick inet6 proto tcp from any port = 0 to any label "Block traffic from port 0" ridentifier 1000000116
block drop log quick inet6 proto udp from any port = 0 to any label "Block traffic from port 0" ridentifier 1000000116
block drop log quick inet6 proto tcp from any to any port = 0 label "Block traffic to port 0" ridentifier 1000000117
block drop log quick inet6 proto udp from any to any port = 0 label "Block traffic to port 0" ridentifier 1000000117
block drop log quick from <snort2c> to any label "Block snort2c hosts" ridentifier 1000000118
block drop log quick from any to <snort2c> label "Block snort2c hosts" ridentifier 1000000119
block drop in log quick proto tcp from <sshguard> to (self) port = ssh label "sshguard" ridentifier 1000000301
block drop in log quick proto tcp from <sshguard> to (self) port = https label "GUI Lockout" ridentifier 1000000351
block drop in log quick from <virusprot> to any label "virusprot overload table" ridentifier 1000000400
pass in quick on ix3 proto udp from any port = bootps to any port = bootpc keep state label "allow dhcp client out WAN" ridentifier 1000000461
pass out quick on ix3 proto udp from any port = bootpc to any port = bootps keep state label "allow dhcp client out WAN" ridentifier 1000000462
pass in quick on ix3 inet6 proto udp from fe80::/10 port = dhcpv6-client to fe80::/10 port = dhcpv6-client keep state label "allow dhcpv6 client in WAN" ridentifier 1000000463
pass in quick on ix3 proto udp from any port = dhcpv6-server to any port = dhcpv6-client keep state label "allow dhcpv6 client in WAN" ridentifier 1000000464
pass out quick on ix3 proto udp from any port = dhcpv6-client to any port = dhcpv6-server keep state label "allow dhcpv6 client out WAN" ridentifier 1000000465
block drop in log on ! ix3 inet from 172.21.16.0/24 to any ridentifier 1000001470
block drop in log inet from 172.21.16.170 to any ridentifier 1000001470
block drop in log on ix3 inet6 from fe80::92ec:77ff:fe0f:7443 to any ridentifier 1000001470
block drop in log on igc0 inet6 from fe80::92ec:77ff:fe0f:7447 to any ridentifier 1000002520
block drop in log on igc0 inet6 from fe80::1:1 to any ridentifier 1000002520
pass in quick on igc0 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server" ridentifier 1000002541
pass in quick on igc0 inet proto udp from any port = bootpc to 192.168.170.1 port = bootps keep state label "allow access to DHCP server" ridentifier 1000002542
pass out quick on igc0 inet proto udp from 192.168.170.1 port = bootps to any port = bootpc keep state label "allow access to DHCP server" ridentifier 1000002543
pass quick on igc0 inet6 proto udp from fe80::/10 to fe80::/10 port = dhcpv6-client keep state label "allow access to DHCPv6 server" ridentifier 1000002551
pass quick on igc0 inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-client keep state label "allow access to DHCPv6 server" ridentifier 1000002552
pass quick on igc0 inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-server keep state label "allow access to DHCPv6 server" ridentifier 1000002553
pass quick on igc0 inet6 proto udp from ff02::/16 to fe80::/10 port = dhcpv6-server keep state label "allow access to DHCPv6 server" ridentifier 1000002554
pass in quick on ix2 proto udp from any port = bootps to any port = bootpc keep state label "allow dhcp client out WAN2" ridentifier 1000002561
pass out quick on ix2 proto udp from any port = bootpc to any port = bootps keep state label "allow dhcp client out WAN2" ridentifier 1000002562
block drop in log on ! ix2 inet from 192.168.241.0/24 to any ridentifier 1000003570
block drop in log inet from 192.168.241.10 to any ridentifier 1000003570
block drop in log on ix2 inet6 from fe80::92ec:77ff:fe0f:7444 to any ridentifier 1000003570
pass in on lo0 inet all flags S/SA keep state label "pass IPv4 loopback" ridentifier 1000009911
pass out on lo0 inet all flags S/SA keep state label "pass IPv4 loopback" ridentifier 1000009912
pass in on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback" ridentifier 1000009913
pass out on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback" ridentifier 1000009914
pass out inet all flags S/SA keep state allow-opts label "let out anything IPv4 from firewall host itself" ridentifier 1000009915
pass out inet6 all flags S/SA keep state allow-opts label "let out anything IPv6 from firewall host itself" ridentifier 1000009916
pass out route-to (ix3 172.21.16.1) inet from 172.21.16.170 to ! 172.21.16.0/24 flags S/SA keep state allow-opts label "let out anything from firewall host itself" ridentifier 1000010011
pass out route-to (ix2 192.168.241.1) inet from 192.168.241.10 to ! 192.168.241.0/24 flags S/SA keep state allow-opts label "let out anything from firewall host itself" ridentifier 1000010012
pass in quick on igc0 proto tcp from any to (igc0) port = https flags S/SA keep state label "anti-lockout rule" ridentifier 10001
pass in quick on igc0 proto tcp from any to (igc0) port = http flags S/SA keep state label "anti-lockout rule" ridentifier 10001
pass in quick on igc0 proto tcp from any to (igc0) port = ssh flags S/SA keep state label "anti-lockout rule" ridentifier 10001
anchor "userrules/*" all
pass in quick on ix3 reply-to (ix3 172.21.16.1) inet all flags S/SA keep state label "USER_RULE: Allow all ipv4+ipv6 via pfSsh.php" label "id:1644416432" ridentifier 1644416432
pass in quick on ix3 inet6 all flags S/SA keep state label "USER_RULE: Allow all ipv4+ipv6 via pfSsh.php" label "id:1644416432" ridentifier 1644416432
pass in quick on igc0 route-to (ix2 192.168.241.1) inet from 192.168.170.0/24 to any flags S/SA keep state label "USER_RULE: Default allow LAN to any via WAN2" label "id:1660690673" label "gw:WAN2_DHCP" ridentifier 1660690673
pass in quick on igc0 inet from 192.168.170.0/24 to any flags S/SA keep state label "USER_RULE: Default allow LAN to any rule" label "id:0100000101" ridentifier 100000101
anchor "tftp-proxy/*" all

