TRANSLATION RULES:
no nat proto carp all
nat-anchor "natearly/*" all
nat-anchor "natrules/*" all
nat on em0 inet from 127.0.0.0/8 to any port = isakmp -> 192.168.254.26 static-port
nat on em0 inet6 from ::1 to any port = isakmp -> 2a07:7e84:1000:19a1::3000 static-port
nat on em0 inet from 127.0.0.0/8 to any -> 192.168.254.26 port 1024:65535
nat on em0 inet6 from ::1 to any -> 2a07:7e84:1000:19a1::3000 port 1024:65535
no rdr proto carp all
rdr-anchor "tftp-proxy/*" all

FILTER RULES:
scrub from any to <vpn_networks> fragment no reassemble
scrub from <vpn_networks> to any fragment no reassemble
scrub on em0 inet all fragment reassemble
scrub on em0 inet6 all fragment reassemble
anchor "openvpn/*" all
anchor "ipsec/*" all
block drop in log quick inet6 from any to <_nat64reserved_> label "descr=Block NAT64 for non-global IPv4" ridentifier 1000000001
block drop out log quick inet6 from any to <_nat64reserved_> label "descr=Block NAT64 for non-global IPv4" ridentifier 1000000002
block drop in log quick inet from 169.254.0.0/16 to any label "descr=Block IPv4 link-local" ridentifier 1000000101
block drop in log quick inet from any to 169.254.0.0/16 label "descr=Block IPv4 link-local" ridentifier 1000000102
block drop in log inet all label "descr=Default deny rule IPv4" label "tags=ruleset:8606289c5dd90a83" ridentifier 1000000103
block drop out log inet all label "descr=Default deny rule IPv4" label "tags=ruleset:8606289c5dd90a83" ridentifier 1000000104
block drop in log inet6 all label "descr=Default deny rule IPv6" label "tags=ruleset:8606289c5dd90a83" ridentifier 1000000105
block drop out log inet6 all label "descr=Default deny rule IPv6" label "tags=ruleset:8606289c5dd90a83" ridentifier 1000000106
pass quick inet6 proto ipv6-icmp all icmp6-type unreach keep state (if-bound) ridentifier 1000000107
pass quick inet6 proto ipv6-icmp all icmp6-type toobig keep state (if-bound) ridentifier 1000000107
pass quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state (if-bound) ridentifier 1000000107
pass quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep state (if-bound) ridentifier 1000000107
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echorep keep state (if-bound) ridentifier 1000000108
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state (if-bound) ridentifier 1000000108
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state (if-bound) ridentifier 1000000108
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state (if-bound) ridentifier 1000000108
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state (if-bound) ridentifier 1000000108
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echorep keep state (if-bound) ridentifier 1000000109
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state (if-bound) ridentifier 1000000109
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state (if-bound) ridentifier 1000000109
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state (if-bound) ridentifier 1000000109
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state (if-bound) ridentifier 1000000109
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state (if-bound) ridentifier 1000000110
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state (if-bound) ridentifier 1000000110
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state (if-bound) ridentifier 1000000110
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state (if-bound) ridentifier 1000000110
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state (if-bound) ridentifier 1000000110
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type echoreq keep state (if-bound) ridentifier 1000000111
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routersol keep state (if-bound) ridentifier 1000000111
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routeradv keep state (if-bound) ridentifier 1000000111
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbrsol keep state (if-bound) ridentifier 1000000111
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbradv keep state (if-bound) ridentifier 1000000111
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echoreq keep state (if-bound) ridentifier 1000000112
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state (if-bound) ridentifier 1000000112
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state (if-bound) ridentifier 1000000112
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state (if-bound) ridentifier 1000000112
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state (if-bound) ridentifier 1000000112
pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type echoreq keep state (if-bound) ridentifier 1000000113
pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type routersol keep state (if-bound) ridentifier 1000000113
pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type routeradv keep state (if-bound) ridentifier 1000000113
pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type neighbrsol keep state (if-bound) ridentifier 1000000113
pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type neighbradv keep state (if-bound) ridentifier 1000000113
block drop log quick inet proto tcp from any port = 0 to any label "descr=Block traffic from port 0" ridentifier 1000000114
block drop log quick inet proto udp from any port = 0 to any label "descr=Block traffic from port 0" ridentifier 1000000114
block drop log quick inet proto tcp from any to any port = 0 label "descr=Block traffic to port 0" ridentifier 1000000115
block drop log quick inet proto udp from any to any port = 0 label "descr=Block traffic to port 0" ridentifier 1000000115
block drop log quick inet6 proto tcp from any port = 0 to any label "descr=Block traffic from port 0" ridentifier 1000000116
block drop log quick inet6 proto udp from any port = 0 to any label "descr=Block traffic from port 0" ridentifier 1000000116
block drop log quick inet6 proto tcp from any to any port = 0 label "descr=Block traffic to port 0" ridentifier 1000000117
block drop log quick inet6 proto udp from any to any port = 0 label "descr=Block traffic to port 0" ridentifier 1000000117
block drop log quick from <snort2c> to any label "descr=Block snort2c hosts" ridentifier 1000000118
block drop log quick from any to <snort2c> label "descr=Block snort2c hosts" ridentifier 1000000119
block drop in log quick proto tcp from <sshguard> to (self) port = ssh label "descr=sshguard" ridentifier 1000000301
block drop in log quick proto tcp from <sshguard> to (self) port = https label "descr=GUI Lockout" ridentifier 1000000351
block drop in log quick from <virusprot> to any label "descr=virusprot overload table" ridentifier 1000000400
block drop out quick proto udp from any port = bootps to any port = bootpc label "descr=Prevent routing dhcp responses" ridentifier 1000000451 tagged dhcpin
pass in quick on em0 proto udp from any port = bootps to any port = bootpc no state label "descr=allow dhcp replies in WAN" ridentifier 1000000461 tag dhcpin
pass out quick on em0 proto udp from any port = bootpc to any port = bootps no state label "descr=allow dhcp client out WAN" ridentifier 1000000462
pass in quick on em0 inet6 proto udp from fe80::/10 port = dhcpv6-client to fe80::/10 port = dhcpv6-client keep state (if-bound) label "descr=allow dhcpv6 client in WAN" ridentifier 1000000463
pass in quick on em0 proto udp from any port = dhcpv6-server to any port = dhcpv6-client keep state (if-bound) label "descr=allow dhcpv6 client in WAN" ridentifier 1000000464
pass out quick on em0 proto udp from any port = dhcpv6-client to any port = dhcpv6-server keep state (if-bound) label "descr=allow dhcpv6 client out WAN" ridentifier 1000000465
block drop in log quick on em0 from <bogons> to any label "descr=block bogon IPv4 networks from WAN" ridentifier 11001
block drop in log quick on em0 from <bogonsv6> to any label "descr=block bogon IPv6 networks from WAN" ridentifier 11002
block drop in log on ! em0 inet6 from 2a07:7e84:1000:19a1::/64 to any ridentifier 1000001470
block drop in log on em0 inet6 from fe80::a00:27ff:feba:b855 to any ridentifier 1000001470
block drop in log inet6 from 2a07:7e84:1000:19a1:a00:27ff:feba:b855 to any ridentifier 1000001470
block drop in log inet6 from 2a07:7e84:1000:19a1::3000 to any ridentifier 1000001470
block drop in log on ! em0 inet from 192.168.254.0/24 to any ridentifier 1000001470
block drop in log inet from 192.168.254.26 to any ridentifier 1000001470
pass in on lo0 inet all flags S/SA keep state (if-bound) label "descr=pass IPv4 loopback" ridentifier 1000002561
pass out on lo0 inet all flags S/SA keep state (if-bound) label "descr=pass IPv4 loopback" ridentifier 1000002562
pass in on lo0 inet6 all flags S/SA keep state (if-bound) label "descr=pass IPv6 loopback" ridentifier 1000002563
pass out on lo0 inet6 all flags S/SA keep state (if-bound) label "descr=pass IPv6 loopback" ridentifier 1000002564
pass out inet all flags S/SA keep state (if-bound) allow-opts label "descr=let out anything IPv4 from firewall host itself" ridentifier 1000002565
pass out inet6 all flags S/SA keep state (if-bound) allow-opts label "descr=let out anything IPv6 from firewall host itself" ridentifier 1000002566
pass out route-to (em0 192.168.254.10) inet from 192.168.254.26 to ! 192.168.254.0/24 flags S/SA keep state (if-bound) allow-opts label "descr=let out anything from firewall host itself" ridentifier 1000002661
pass out route-to (em0 fe80::92ec:77ff:fe1d:13ee) inet6 from 2a07:7e84:1000:19a1::3000 to ! 2a07:7e84:1000:19a1::/64 flags S/SA keep state (if-bound) allow-opts label "descr=let out anything from firewall host itself" ridentifier 1000002662
pass in quick on em0 proto tcp from any to (em0) port = https flags S/SA keep state (if-bound) label "descr=anti-lockout rule" ridentifier 10001
pass in quick on em0 proto tcp from any to (em0) port = http flags S/SA keep state (if-bound) label "descr=anti-lockout rule" ridentifier 10001
anchor "userrules/*" all
pass in quick on em0 reply-to (em0 192.168.254.10) inet all flags S/SA keep state (if-bound) label "id=1766393690" label "tags=user_rule" ridentifier 1766393690
anchor "tftp-proxy/*" all
No queue in use

STATES:
em0 tcp 192.168.254.26:443 <- 192.168.2.100:32725       ESTABLISHED:ESTABLISHED
em0 tcp 192.168.254.26:54025 -> 208.123.73.69:443       FIN_WAIT_2:FIN_WAIT_2
em0 tcp 2a07:7e84:1000:19a1:a00:27ff:feba:b855[9713] -> 2610:160:11:18::207[443]       SYN_SENT:CLOSED
em0 tcp 192.168.254.26:48334 -> 208.123.73.207:443       FIN_WAIT_2:FIN_WAIT_2
em0 tcp 2a07:7e84:1000:19a1:a00:27ff:feba:b855[42706] -> 2610:160:11:18::207[443]       SYN_SENT:CLOSED
em0 tcp 192.168.254.26:24177 -> 208.123.73.207:443       FIN_WAIT_2:FIN_WAIT_2
lo0 udp ff02::1:2[547] <- fe80::a00:27ff:feba:b855[546]       NO_TRAFFIC:SINGLE
em0 udp fe80::a00:27ff:feba:b855[546] -> ff02::1:2[547]       SINGLE:NO_TRAFFIC
em0 udp fe80::a00:27ff:feba:b855[546] <- fe80::92ec:77ff:fe1d:13ee[547]       NO_TRAFFIC:SINGLE
em0 udp 2a07:7e84:1000:19a1:a00:27ff:feba:b855[38883] -> 2404:1fc0:1000:400::42[53]       SINGLE:NO_TRAFFIC
em0 udp 2a07:7e84:1000:19a1:a00:27ff:feba:b855[51453] -> 2404:1fc0:1000:400::42[53]       SINGLE:NO_TRAFFIC
lo0 udp 127.0.0.1:44473 -> 127.0.0.1:53       SINGLE:NO_TRAFFIC
lo0 udp 127.0.0.1:53 <- 127.0.0.1:44473       NO_TRAFFIC:SINGLE
em0 udp 2a07:7e84:1000:19a1:a00:27ff:feba:b855[44008] -> 2a0e:b107:27f9:123::53[53]       SINGLE:NO_TRAFFIC
em0 udp 2a07:7e84:1000:19a1:a00:27ff:feba:b855[50301] -> 2a0e:b107:27f9:123::53[53]       SINGLE:NO_TRAFFIC
em0 udp 2a07:7e84:1000:19a1:a00:27ff:feba:b855[20533] -> 2604:1380:2:6002::41:1[53]       SINGLE:NO_TRAFFIC
em0 udp 2a07:7e84:1000:19a1:a00:27ff:feba:b855[38658] -> 2604:1380:2:6002::41:1[53]       SINGLE:NO_TRAFFIC
em0 udp 2a07:7e84:1000:19a1:a00:27ff:feba:b855[123] -> 2a05:b400:c::123:60[123]       SINGLE:NO_TRAFFIC
em0 tcp 192.168.254.26:443 <- 192.168.254.25:13109       FIN_WAIT_2:FIN_WAIT_2
em0 icmp 192.168.254.26:15525 -> 192.168.254.10:8       0:0
em0 ipv6-icmp fe80::a00:27ff:feba:b855[15568] -> fe80::92ec:77ff:fe1d:13ee[128]       NO_TRAFFIC:NO_TRAFFIC
em0 udp 192.168.254.26:123 -> 81.28.248.70:123       MULTIPLE:SINGLE
em0 ipv6-icmp fe80::a00:27ff:feba:b855 -> fe80::92ec:77ff:fe1d:13ee[135]       NO_TRAFFIC:NO_TRAFFIC

INFO:
Status: Enabled for 0 days 00:49:36           Debug: Urgent

Interface Stats for em0               IPv4             IPv6
  Bytes In                               0                0
  Bytes Out                              0                0
  Packets In
    Passed                           12304                0
    Blocked                              4                0
  Packets Out
    Passed                               0             6613
    Blocked                          15751                0

State Table                          Total             Rate
  current entries                       23               
  searches                           41817           14.1/s
  inserts                             1403            0.5/s
  removals                            1380            0.5/s
Counters
  match                               1409            0.5/s
  bad-offset                             0            0.0/s
  fragment                               0            0.0/s
  short                                  0            0.0/s
  normalize                              0            0.0/s
  memory                                 0            0.0/s
  bad-timestamp                          0            0.0/s
  congestion                             0            0.0/s
  ip-option                              0            0.0/s
  proto-cksum                            0            0.0/s
  state-mismatch                         0            0.0/s
  state-insert                           0            0.0/s
  state-limit                            0            0.0/s
  src-limit                              0            0.0/s
  synproxy                               0            0.0/s
  map-failed                             0            0.0/s
  translate                              0            0.0/s

LABEL COUNTERS:
descr=Block NAT64 for non-global IPv4 1409 0 0 0 0 0 0 0
descr=Block NAT64 for non-global IPv4 1070 0 0 0 0 0 0 0
descr=Block IPv4 link-local 1409 0 0 0 0 0 0 0
descr=Block IPv4 link-local 143 0 0 0 0 0 0 0
descr=Default deny rule IPv4 tags=ruleset:8606289c5dd90a83 11 0 0 0 0 0 0 0
descr=Default deny rule IPv4 tags=ruleset:8606289c5dd90a83 51 0 0 0 0 0 0 0
descr=Default deny rule IPv6 tags=ruleset:8606289c5dd90a83 60 0 0 0 0 0 0 0
descr=Default deny rule IPv6 tags=ruleset:8606289c5dd90a83 49 0 0 0 0 0 0 0
descr=Block traffic from port 0 1139 0 0 0 0 0 0 0
descr=Block traffic from port 0 582 0 0 0 0 0 0 0
descr=Block traffic to port 0 653 0 0 0 0 0 0 0
descr=Block traffic to port 0 582 0 0 0 0 0 0 0
descr=Block traffic from port 0 1139 0 0 0 0 0 0 0
descr=Block traffic from port 0 456 0 0 0 0 0 0 0
descr=Block traffic to port 0 486 0 0 0 0 0 0 0
descr=Block traffic to port 0 456 0 0 0 0 0 0 0
descr=Block snort2c hosts 1139 0 0 0 0 0 0 0
descr=Block snort2c hosts 1139 0 0 0 0 0 0 0
descr=sshguard 1139 0 0 0 0 0 0 0
descr=GUI Lockout 0 0 0 0 0 0 0 0
descr=virusprot overload table 208 0 0 0 0 0 0 0
descr=Prevent routing dhcp responses 1139 0 0 0 0 0 0 0
descr=allow dhcp replies in WAN 208 2 635 2 635 0 0 0
descr=allow dhcp client out WAN 849 0 0 0 0 0 0 0
descr=allow dhcpv6 client in WAN 729 0 0 0 0 0 0 0
descr=allow dhcpv6 client in WAN 29 26 4786 26 4786 0 0 1
descr=allow dhcpv6 client out WAN 704 26 2662 0 0 26 2662 1
descr=block bogon IPv4 networks from WAN 816 4 1312 4 1312 0 0 0
descr=block bogon IPv6 networks from WAN 26 0 0 0 0 0 0 0
descr=pass IPv4 loopback 138 209 18469 111 7853 98 10616 10
descr=pass IPv4 loopback 1017 0 0 0 0 0 0 0
descr=pass IPv6 loopback 277 59 6958 44 4520 15 2438 2
descr=pass IPv6 loopback 166 0 0 0 0 0 0 0
descr=let out anything IPv4 from firewall host itself 1043 5631 175962 2809 89409 2822 86553 11
descr=let out anything IPv6 from firewall host itself 906 5859 322734 2927 167853 2932 154881 12
descr=let out anything from firewall host itself 906 5124 3104028 2497 2854897 2627 249131 10
descr=let out anything from firewall host itself 535 0 0 0 0 0 0 0
descr=anti-lockout rule 1079 6955 5638833 2541 391570 4414 5247263 1
descr=anti-lockout rule 0 0 0 0 0 0 0 0
id=1766393690 tags=user_rule 641 0 0 0 0 0 0 0

TIMEOUTS:
tcp.first                   120s
tcp.opening                  30s
tcp.established           86400s
tcp.closing                 900s
tcp.finwait                  45s
tcp.closed                   90s
tcp.tsdiff                   30s
sctp.first                  120s
sctp.opening                 30s
sctp.established          86400s
sctp.closing                900s
sctp.closed                  90s
udp.first                    60s
udp.single                   30s
udp.multiple                 60s
icmp.first                   20s
icmp.error                   10s
other.first                  60s
other.single                 30s
other.multiple               60s
frag                         60s
interval                     10s
adaptive.start           241200 states
adaptive.end             482400 states
src.track                     0s

LIMITS:
states        hard limit   402000
src-nodes     hard limit   402000
frags         hard limit     5000
table-entries hard limit   400000
anchors       hard limit      512
eth-anchors   hard limit        0

TABLES:
WAN__NETWORK
WIREGUARD__NETWORK
_nat64reserved_
bogons
bogonsv6
snort2c
sshguard
virusprot

OS FINGERPRINTS:
762 fingerprints loaded
