TRANSLATION RULES:
no nat proto carp all
nat-anchor "natearly/*" all
nat-anchor "natrules/*" all
nat on em0 inet from 127.0.0.0/8 to any port = isakmp -> 192.168.254.25 static-port
nat on em0 inet6 from ::1 to any port = isakmp -> 2a07:7e84:1000:19a1::3001 static-port
nat on em0 inet from 127.0.0.0/8 to any -> 192.168.254.25 port 1024:65535
nat on em0 inet6 from ::1 to any -> 2a07:7e84:1000:19a1::3001 port 1024:65535
no rdr proto carp all
rdr-anchor "tftp-proxy/*" all

FILTER RULES:
scrub from any to <vpn_networks> fragment no reassemble
scrub from <vpn_networks> to any fragment no reassemble
scrub on em0 inet all fragment reassemble
scrub on em0 inet6 all fragment reassemble
anchor "openvpn/*" all
anchor "ipsec/*" all
block drop in log quick inet6 from any to <_nat64reserved_> label "descr=Block NAT64 for non-global IPv4" ridentifier 1000000001
block drop out log quick inet6 from any to <_nat64reserved_> label "descr=Block NAT64 for non-global IPv4" ridentifier 1000000002
block drop in log quick inet from 169.254.0.0/16 to any label "descr=Block IPv4 link-local" ridentifier 1000000101
block drop in log quick inet from any to 169.254.0.0/16 label "descr=Block IPv4 link-local" ridentifier 1000000102
block drop in log inet all label "descr=Default deny rule IPv4" label "tags=ruleset:5e585a53bdd3890f" ridentifier 1000000103
block drop out log inet all label "descr=Default deny rule IPv4" label "tags=ruleset:5e585a53bdd3890f" ridentifier 1000000104
block drop in log inet6 all label "descr=Default deny rule IPv6" label "tags=ruleset:5e585a53bdd3890f" ridentifier 1000000105
block drop out log inet6 all label "descr=Default deny rule IPv6" label "tags=ruleset:5e585a53bdd3890f" ridentifier 1000000106
pass quick inet6 proto ipv6-icmp all icmp6-type unreach keep state (if-bound) ridentifier 1000000107
pass quick inet6 proto ipv6-icmp all icmp6-type toobig keep state (if-bound) ridentifier 1000000107
pass quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state (if-bound) ridentifier 1000000107
pass quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep state (if-bound) ridentifier 1000000107
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echorep keep state (if-bound) ridentifier 1000000108
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state (if-bound) ridentifier 1000000108
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state (if-bound) ridentifier 1000000108
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state (if-bound) ridentifier 1000000108
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state (if-bound) ridentifier 1000000108
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echorep keep state (if-bound) ridentifier 1000000109
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state (if-bound) ridentifier 1000000109
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state (if-bound) ridentifier 1000000109
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state (if-bound) ridentifier 1000000109
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state (if-bound) ridentifier 1000000109
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state (if-bound) ridentifier 1000000110
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state (if-bound) ridentifier 1000000110
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state (if-bound) ridentifier 1000000110
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state (if-bound) ridentifier 1000000110
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state (if-bound) ridentifier 1000000110
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type echoreq keep state (if-bound) ridentifier 1000000111
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routersol keep state (if-bound) ridentifier 1000000111
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routeradv keep state (if-bound) ridentifier 1000000111
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbrsol keep state (if-bound) ridentifier 1000000111
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbradv keep state (if-bound) ridentifier 1000000111
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echoreq keep state (if-bound) ridentifier 1000000112
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state (if-bound) ridentifier 1000000112
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state (if-bound) ridentifier 1000000112
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state (if-bound) ridentifier 1000000112
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state (if-bound) ridentifier 1000000112
pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type echoreq keep state (if-bound) ridentifier 1000000113
pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type routersol keep state (if-bound) ridentifier 1000000113
pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type routeradv keep state (if-bound) ridentifier 1000000113
pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type neighbrsol keep state (if-bound) ridentifier 1000000113
pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type neighbradv keep state (if-bound) ridentifier 1000000113
block drop log quick inet proto tcp from any port = 0 to any label "descr=Block traffic from port 0" ridentifier 1000000114
block drop log quick inet proto udp from any port = 0 to any label "descr=Block traffic from port 0" ridentifier 1000000114
block drop log quick inet proto tcp from any to any port = 0 label "descr=Block traffic to port 0" ridentifier 1000000115
block drop log quick inet proto udp from any to any port = 0 label "descr=Block traffic to port 0" ridentifier 1000000115
block drop log quick inet6 proto tcp from any port = 0 to any label "descr=Block traffic from port 0" ridentifier 1000000116
block drop log quick inet6 proto udp from any port = 0 to any label "descr=Block traffic from port 0" ridentifier 1000000116
block drop log quick inet6 proto tcp from any to any port = 0 label "descr=Block traffic to port 0" ridentifier 1000000117
block drop log quick inet6 proto udp from any to any port = 0 label "descr=Block traffic to port 0" ridentifier 1000000117
block drop log quick from <snort2c> to any label "descr=Block snort2c hosts" ridentifier 1000000118
block drop log quick from any to <snort2c> label "descr=Block snort2c hosts" ridentifier 1000000119
block drop in log quick proto tcp from <sshguard> to (self) port = ssh label "descr=sshguard" ridentifier 1000000301
block drop in log quick proto tcp from <sshguard> to (self) port = https label "descr=GUI Lockout" ridentifier 1000000351
block drop in log quick from <virusprot> to any label "descr=virusprot overload table" ridentifier 1000000400
block drop out quick proto udp from any port = bootps to any port = bootpc label "descr=Prevent routing dhcp responses" ridentifier 1000000451 tagged dhcpin
pass in quick on em0 proto udp from any port = bootps to any port = bootpc no state label "descr=allow dhcp replies in WAN" ridentifier 1000000461 tag dhcpin
pass out quick on em0 proto udp from any port = bootpc to any port = bootps no state label "descr=allow dhcp client out WAN" ridentifier 1000000462
pass in quick on em0 inet6 proto udp from fe80::/10 port = dhcpv6-client to fe80::/10 port = dhcpv6-client keep state (if-bound) label "descr=allow dhcpv6 client in WAN" ridentifier 1000000463
pass in quick on em0 proto udp from any port = dhcpv6-server to any port = dhcpv6-client keep state (if-bound) label "descr=allow dhcpv6 client in WAN" ridentifier 1000000464
pass out quick on em0 proto udp from any port = dhcpv6-client to any port = dhcpv6-server keep state (if-bound) label "descr=allow dhcpv6 client out WAN" ridentifier 1000000465
block drop in log quick on em0 from <bogons> to any label "descr=block bogon IPv4 networks from WAN" ridentifier 11001
block drop in log quick on em0 from <bogonsv6> to any label "descr=block bogon IPv6 networks from WAN" ridentifier 11002
block drop in log on ! em0 inet6 from 2a07:7e84:1000:19a1::/64 to any ridentifier 1000001470
block drop in log on em0 inet6 from fe80::a00:27ff:fed4:3e55 to any ridentifier 1000001470
block drop in log inet6 from 2a07:7e84:1000:19a1:a00:27ff:fed4:3e55 to any ridentifier 1000001470
block drop in log inet6 from 2a07:7e84:1000:19a1::3001 to any ridentifier 1000001470
block drop in log on ! em0 inet from 192.168.254.0/24 to any ridentifier 1000001470
block drop in log inet from 192.168.254.25 to any ridentifier 1000001470
pass in on lo0 inet all flags S/SA keep state (if-bound) label "descr=pass IPv4 loopback" ridentifier 1000002561
pass out on lo0 inet all flags S/SA keep state (if-bound) label "descr=pass IPv4 loopback" ridentifier 1000002562
pass in on lo0 inet6 all flags S/SA keep state (if-bound) label "descr=pass IPv6 loopback" ridentifier 1000002563
pass out on lo0 inet6 all flags S/SA keep state (if-bound) label "descr=pass IPv6 loopback" ridentifier 1000002564
pass out inet all flags S/SA keep state (if-bound) allow-opts label "descr=let out anything IPv4 from firewall host itself" ridentifier 1000002565
pass out inet6 all flags S/SA keep state (if-bound) allow-opts label "descr=let out anything IPv6 from firewall host itself" ridentifier 1000002566
pass out route-to (em0 192.168.254.10) inet from 192.168.254.25 to ! 192.168.254.0/24 flags S/SA keep state (if-bound) allow-opts label "descr=let out anything from firewall host itself" ridentifier 1000002661
pass out route-to (em0 fe80::92ec:77ff:fe1d:13ee) inet6 from 2a07:7e84:1000:19a1::3001 to ! 2a07:7e84:1000:19a1::/64 flags S/SA keep state (if-bound) allow-opts label "descr=let out anything from firewall host itself" ridentifier 1000002662
pass in quick on em0 proto tcp from any to (em0) port = https flags S/SA keep state (if-bound) label "descr=anti-lockout rule" ridentifier 10001
pass in quick on em0 proto tcp from any to (em0) port = http flags S/SA keep state (if-bound) label "descr=anti-lockout rule" ridentifier 10001
anchor "userrules/*" all
pass in quick on em0 reply-to (em0 192.168.254.10) inet all flags S/SA keep state (if-bound) label "id=1766393690" label "tags=user_rule" ridentifier 1766393690
pass in quick on em0 reply-to (em0 192.168.254.10) inet proto tcp all flags S/SA keep state (if-bound) label "id=1766393877" label "tags=user_rule" label "descr=test" ridentifier 1766393877
anchor "tftp-proxy/*" all
No queue in use

STATES:
em0 icmp 192.168.254.25:27265 -> 192.168.254.10:8       0:0
em0 ipv6-icmp fe80::a00:27ff:fed4:3e55[27613] -> fe80::92ec:77ff:fe1d:13ee[128]       NO_TRAFFIC:NO_TRAFFIC
em0 tcp 192.168.254.25:443 <- 192.168.2.100:32703       FIN_WAIT_2:FIN_WAIT_2
lo0 udp 127.0.0.1:30030 -> 127.0.0.1:53       SINGLE:NO_TRAFFIC
lo0 udp 127.0.0.1:53 <- 127.0.0.1:30030       NO_TRAFFIC:SINGLE
em0 udp 2a07:7e84:1000:19a1:a00:27ff:fed4:3e55[14522] -> 2a05:dfc1:cb1:123::[53]       SINGLE:NO_TRAFFIC
em0 udp 2a07:7e84:1000:19a1:a00:27ff:fed4:3e55[34914] -> 2600:3c00::f03c:91ff:fe8c:cf2c[53]       SINGLE:NO_TRAFFIC
em0 udp 2a07:7e84:1000:19a1:a00:27ff:fed4:3e55[14758] -> 2a05:dfc1:cb1:123::[53]       SINGLE:NO_TRAFFIC
em0 udp 2a07:7e84:1000:19a1:a00:27ff:fed4:3e55[13597] -> 2600:3c00::f03c:91ff:fe8c:cf2c[53]       SINGLE:NO_TRAFFIC
em0 udp 2a07:7e84:1000:19a1:a00:27ff:fed4:3e55[37621] -> 2a02:a00:2000:89::1[53]       SINGLE:NO_TRAFFIC
em0 udp 2a07:7e84:1000:19a1:a00:27ff:fed4:3e55[50069] -> 2604:1380:2:6002::41:1[53]       SINGLE:NO_TRAFFIC
em0 udp 2a07:7e84:1000:19a1:a00:27ff:fed4:3e55[60837] -> 2a02:a00:2000:89::1[53]       SINGLE:NO_TRAFFIC
em0 udp 2a07:7e84:1000:19a1:a00:27ff:fed4:3e55[64576] -> 2604:1380:2:6002::41:1[53]       SINGLE:NO_TRAFFIC
em0 udp 2a07:7e84:1000:19a1:a00:27ff:fed4:3e55[7056] -> 2604:1380:4601:5501::2:1[53]       SINGLE:NO_TRAFFIC
em0 udp 2a07:7e84:1000:19a1:a00:27ff:fed4:3e55[50692] -> 2001:8e0:ffff:1::282[53]       SINGLE:NO_TRAFFIC
em0 udp 2a07:7e84:1000:19a1:a00:27ff:fed4:3e55[12261] -> 2604:1380:4601:5501::2:1[53]       SINGLE:NO_TRAFFIC
em0 udp 2a07:7e84:1000:19a1:a00:27ff:fed4:3e55[56432] -> 2001:8e0:ffff:1::282[53]       SINGLE:NO_TRAFFIC
em0 udp 2a07:7e84:1000:19a1:a00:27ff:fed4:3e55[42306] -> 2a0e:b107:27f9:123::53[53]       SINGLE:NO_TRAFFIC
em0 udp 2a07:7e84:1000:19a1:a00:27ff:fed4:3e55[63759] -> 2600:3c02::f03c:92ff:fe5f:baf1[53]       SINGLE:NO_TRAFFIC
em0 udp 2a07:7e84:1000:19a1:a00:27ff:fed4:3e55[63505] -> 2a0e:b107:27f9:123::53[53]       SINGLE:NO_TRAFFIC
em0 udp 2a07:7e84:1000:19a1:a00:27ff:fed4:3e55[52054] -> 2600:3c02::f03c:92ff:fe5f:baf1[53]       SINGLE:NO_TRAFFIC
em0 udp 2a07:7e84:1000:19a1:a00:27ff:fed4:3e55[23452] -> 2604:a880:4:1d0::375:7000[53]       SINGLE:NO_TRAFFIC
em0 udp 2a07:7e84:1000:19a1:a00:27ff:fed4:3e55[38210] -> 2604:a880:4:1d0::375:7000[53]       SINGLE:NO_TRAFFIC
em0 udp 192.168.254.25:32829 -> 45.11.105.142:53       MULTIPLE:SINGLE
lo0 udp ::1[63641] -> ::1[53]       MULTIPLE:SINGLE
lo0 udp ::1[53] <- ::1[63641]       SINGLE:MULTIPLE
lo0 udp 127.0.0.1:3348 -> 127.0.0.1:53       MULTIPLE:SINGLE
lo0 udp 127.0.0.1:53 <- 127.0.0.1:3348       SINGLE:MULTIPLE
em0 udp 192.168.254.25:30871 -> 77.90.25.251:53       SINGLE:NO_TRAFFIC
em0 udp 192.168.254.25:12151 -> 212.25.19.23:53       MULTIPLE:SINGLE
em0 udp 192.168.254.25:44012 -> 139.178.66.41:53       MULTIPLE:SINGLE
em0 udp 2a07:7e84:1000:19a1:a00:27ff:fed4:3e55[123] -> 2a02:8106:21:9400::2[123]       SINGLE:NO_TRAFFIC
em0 tcp 192.168.254.25:443 <- 192.168.2.100:33116       FIN_WAIT_2:FIN_WAIT_2
em0 tcp 192.168.254.25:443 <- 192.168.2.100:33117       FIN_WAIT_2:FIN_WAIT_2
em0 tcp 192.168.254.25:443 <- 192.168.2.100:33118       FIN_WAIT_2:FIN_WAIT_2
em0 tcp 192.168.254.25:443 <- 192.168.2.100:33119       ESTABLISHED:ESTABLISHED
em0 tcp 192.168.254.25:443 <- 192.168.254.20:30433       FIN_WAIT_2:FIN_WAIT_2
em0 tcp 192.168.254.25:443 <- 192.168.254.20:30434       ESTABLISHED:ESTABLISHED
em0 tcp 192.168.254.25:13109 -> 192.168.254.26:443       FIN_WAIT_2:FIN_WAIT_2
em0 ipv6-icmp fe80::a00:27ff:fed4:3e55 -> fe80::92ec:77ff:fe1d:13ee[135]       NO_TRAFFIC:NO_TRAFFIC
em0 ipv6-icmp fe80::a00:27ff:fed4:3e55[135] <- fe80::92ec:77ff:fe1d:13ee       NO_TRAFFIC:NO_TRAFFIC

INFO:
Status: Enabled for 0 days 00:49:18           Debug: Urgent

Interface Stats for em0               IPv4             IPv6
  Bytes In                               0                0
  Bytes Out                              0                0
  Packets In
    Passed                           12012                0
    Blocked                              2                0
  Packets Out
    Passed                               0             6580
    Blocked                          15055                0

State Table                          Total             Rate
  current entries                       41               
  searches                           40629           13.7/s
  inserts                             1358            0.5/s
  removals                            1317            0.4/s
Counters
  match                               1362            0.5/s
  bad-offset                             0            0.0/s
  fragment                               0            0.0/s
  short                                  0            0.0/s
  normalize                              0            0.0/s
  memory                                 0            0.0/s
  bad-timestamp                          0            0.0/s
  congestion                             0            0.0/s
  ip-option                              0            0.0/s
  proto-cksum                            0            0.0/s
  state-mismatch                         0            0.0/s
  state-insert                           0            0.0/s
  state-limit                            0            0.0/s
  src-limit                              0            0.0/s
  synproxy                               0            0.0/s
  map-failed                             0            0.0/s
  translate                              0            0.0/s

LABEL COUNTERS:
descr=Block NAT64 for non-global IPv4 1362 0 0 0 0 0 0 0
descr=Block NAT64 for non-global IPv4 1062 0 0 0 0 0 0 0
descr=Block IPv4 link-local 1362 0 0 0 0 0 0 0
descr=Block IPv4 link-local 114 0 0 0 0 0 0 0
descr=Default deny rule IPv4 tags=ruleset:5e585a53bdd3890f 69 0 0 0 0 0 0 0
descr=Default deny rule IPv4 tags=ruleset:5e585a53bdd3890f 677 0 0 0 0 0 0 0
descr=Default deny rule IPv6 tags=ruleset:5e585a53bdd3890f 837 0 0 0 0 0 0 0
descr=Default deny rule IPv6 tags=ruleset:5e585a53bdd3890f 768 0 0 0 0 0 0 0
descr=Block traffic from port 0 1090 0 0 0 0 0 0 0
descr=Block traffic from port 0 560 0 0 0 0 0 0 0
descr=Block traffic to port 0 631 0 0 0 0 0 0 0
descr=Block traffic to port 0 560 0 0 0 0 0 0 0
descr=Block traffic from port 0 1090 0 0 0 0 0 0 0
descr=Block traffic from port 0 446 0 0 0 0 0 0 0
descr=Block traffic to port 0 459 0 0 0 0 0 0 0
descr=Block traffic to port 0 446 0 0 0 0 0 0 0
descr=Block snort2c hosts 1090 0 0 0 0 0 0 0
descr=Block snort2c hosts 1090 0 0 0 0 0 0 0
descr=sshguard 1090 0 0 0 0 0 0 0
descr=GUI Lockout 0 0 0 0 0 0 0 0
descr=virusprot overload table 172 0 0 0 0 0 0 0
descr=Prevent routing dhcp responses 1090 0 0 0 0 0 0 0
descr=allow dhcp replies in WAN 172 2 635 2 635 0 0 0
descr=allow dhcp client out WAN 880 0 0 0 0 0 0 0
descr=allow dhcpv6 client in WAN 796 0 0 0 0 0 0 0
descr=allow dhcpv6 client in WAN 26 25 4603 25 4603 0 0 22
descr=allow dhcpv6 client out WAN 772 25 2562 0 0 25 2562 22
descr=block bogon IPv4 networks from WAN 842 2 656 2 656 0 0 0
descr=block bogon IPv6 networks from WAN 30 0 0 0 0 0 0 0
descr=pass IPv4 loopback 111 150 14110 81 5658 69 8452 46
descr=pass IPv4 loopback 974 0 0 0 0 0 0 0
descr=pass IPv6 loopback 204 45 4630 36 3605 9 1025 28
descr=pass IPv6 loopback 124 0 0 0 0 0 0 0
descr=let out anything IPv4 from firewall host itself 1004 3717 407711 1848 118494 1869 289217 54
descr=let out anything IPv6 from firewall host itself 894 3239 186948 1616 98147 1623 88801 187
descr=let out anything from firewall host itself 894 1995 871789 963 763818 1032 107971 222
descr=let out anything from firewall host itself 488 0 0 0 0 0 0 0
descr=anti-lockout rule 1034 10946 7322785 4204 337929 6742 6984856 23
descr=anti-lockout rule 0 0 0 0 0 0 0 0
id=1766393690 tags=user_rule 566 0 0 0 0 0 0 0
id=1766393877 tags=user_rule descr=test 0 0 0 0 0 0 0 0

TIMEOUTS:
tcp.first                   120s
tcp.opening                  30s
tcp.established           86400s
tcp.closing                 900s
tcp.finwait                  45s
tcp.closed                   90s
tcp.tsdiff                   30s
sctp.first                  120s
sctp.opening                 30s
sctp.established          86400s
sctp.closing                900s
sctp.closed                  90s
udp.first                    60s
udp.single                   30s
udp.multiple                 60s
icmp.first                   20s
icmp.error                   10s
other.first                  60s
other.single                 30s
other.multiple               60s
frag                         60s
interval                     10s
adaptive.start           241200 states
adaptive.end             482400 states
src.track                     0s

LIMITS:
states        hard limit   402000
src-nodes     hard limit   402000
frags         hard limit     5000
table-entries hard limit   400000
anchors       hard limit      512
eth-anchors   hard limit        0

TABLES:
WAN__NETWORK
WIREGUARD__NETWORK
_nat64reserved_
bogons
bogonsv6
snort2c
sshguard
virusprot

OS FINGERPRINTS:
762 fingerprints loaded
