TRANSLATION RULES:
no nat proto carp all
nat-anchor "natearly/*" all
nat-anchor "natrules/*" all
nat on em0 inet from 127.0.0.0/8 to any port = isakmp -> 192.168.254.26 static-port
nat on em0 inet6 from ::1 to any port = isakmp -> 2a07:7e84:1000:19a1::3000 static-port
nat on em0 inet from 127.0.0.0/8 to any -> 192.168.254.26 port 1024:65535
nat on em0 inet6 from ::1 to any -> 2a07:7e84:1000:19a1::3000 port 1024:65535
no rdr proto carp all
rdr-anchor "tftp-proxy/*" all

FILTER RULES:
scrub from any to <vpn_networks> fragment no reassemble
scrub from <vpn_networks> to any fragment no reassemble
scrub on em0 inet all fragment reassemble
scrub on em0 inet6 all fragment reassemble
anchor "openvpn/*" all
anchor "ipsec/*" all
block drop in log quick inet6 from any to <_nat64reserved_> label "descr=Block NAT64 for non-global IPv4" ridentifier 1000000001
block drop out log quick inet6 from any to <_nat64reserved_> label "descr=Block NAT64 for non-global IPv4" ridentifier 1000000002
block drop in log quick inet from 169.254.0.0/16 to any label "descr=Block IPv4 link-local" ridentifier 1000000101
block drop in log quick inet from any to 169.254.0.0/16 label "descr=Block IPv4 link-local" ridentifier 1000000102
block drop in log inet all label "descr=Default deny rule IPv4" label "tags=ruleset:647b5dca09b1fa1f" ridentifier 1000000103
block drop out log inet all label "descr=Default deny rule IPv4" label "tags=ruleset:647b5dca09b1fa1f" ridentifier 1000000104
block drop in log inet6 all label "descr=Default deny rule IPv6" label "tags=ruleset:647b5dca09b1fa1f" ridentifier 1000000105
block drop out log inet6 all label "descr=Default deny rule IPv6" label "tags=ruleset:647b5dca09b1fa1f" ridentifier 1000000106
pass quick inet6 proto ipv6-icmp all icmp6-type unreach keep state (if-bound) ridentifier 1000000107
pass quick inet6 proto ipv6-icmp all icmp6-type toobig keep state (if-bound) ridentifier 1000000107
pass quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state (if-bound) ridentifier 1000000107
pass quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep state (if-bound) ridentifier 1000000107
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echorep keep state (if-bound) ridentifier 1000000108
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state (if-bound) ridentifier 1000000108
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state (if-bound) ridentifier 1000000108
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state (if-bound) ridentifier 1000000108
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state (if-bound) ridentifier 1000000108
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echorep keep state (if-bound) ridentifier 1000000109
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state (if-bound) ridentifier 1000000109
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state (if-bound) ridentifier 1000000109
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state (if-bound) ridentifier 1000000109
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state (if-bound) ridentifier 1000000109
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state (if-bound) ridentifier 1000000110
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state (if-bound) ridentifier 1000000110
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state (if-bound) ridentifier 1000000110
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state (if-bound) ridentifier 1000000110
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state (if-bound) ridentifier 1000000110
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type echoreq keep state (if-bound) ridentifier 1000000111
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routersol keep state (if-bound) ridentifier 1000000111
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routeradv keep state (if-bound) ridentifier 1000000111
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbrsol keep state (if-bound) ridentifier 1000000111
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbradv keep state (if-bound) ridentifier 1000000111
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echoreq keep state (if-bound) ridentifier 1000000112
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state (if-bound) ridentifier 1000000112
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state (if-bound) ridentifier 1000000112
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state (if-bound) ridentifier 1000000112
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state (if-bound) ridentifier 1000000112
pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type echoreq keep state (if-bound) ridentifier 1000000113
pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type routersol keep state (if-bound) ridentifier 1000000113
pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type routeradv keep state (if-bound) ridentifier 1000000113
pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type neighbrsol keep state (if-bound) ridentifier 1000000113
pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type neighbradv keep state (if-bound) ridentifier 1000000113
block drop log quick inet proto tcp from any port = 0 to any label "descr=Block traffic from port 0" ridentifier 1000000114
block drop log quick inet proto udp from any port = 0 to any label "descr=Block traffic from port 0" ridentifier 1000000114
block drop log quick inet proto tcp from any to any port = 0 label "descr=Block traffic to port 0" ridentifier 1000000115
block drop log quick inet proto udp from any to any port = 0 label "descr=Block traffic to port 0" ridentifier 1000000115
block drop log quick inet6 proto tcp from any port = 0 to any label "descr=Block traffic from port 0" ridentifier 1000000116
block drop log quick inet6 proto udp from any port = 0 to any label "descr=Block traffic from port 0" ridentifier 1000000116
block drop log quick inet6 proto tcp from any to any port = 0 label "descr=Block traffic to port 0" ridentifier 1000000117
block drop log quick inet6 proto udp from any to any port = 0 label "descr=Block traffic to port 0" ridentifier 1000000117
block drop log quick from <snort2c> to any label "descr=Block snort2c hosts" ridentifier 1000000118
block drop log quick from any to <snort2c> label "descr=Block snort2c hosts" ridentifier 1000000119
block drop in log quick proto tcp from <sshguard> to (self) port = ssh label "descr=sshguard" ridentifier 1000000301
block drop in log quick proto tcp from <sshguard> to (self) port = https label "descr=GUI Lockout" ridentifier 1000000351
block drop in log quick from <virusprot> to any label "descr=virusprot overload table" ridentifier 1000000400
block drop out quick proto udp from any port = bootps to any port = bootpc label "descr=Prevent routing dhcp responses" ridentifier 1000000451 tagged dhcpin
pass in quick on em0 proto udp from any port = bootps to any port = bootpc no state label "descr=allow dhcp replies in WAN" ridentifier 1000000461 tag dhcpin
pass out quick on em0 proto udp from any port = bootpc to any port = bootps no state label "descr=allow dhcp client out WAN" ridentifier 1000000462
pass in quick on em0 inet6 proto udp from fe80::/10 port = dhcpv6-client to fe80::/10 port = dhcpv6-client keep state (if-bound) label "descr=allow dhcpv6 client in WAN" ridentifier 1000000463
pass in quick on em0 proto udp from any port = dhcpv6-server to any port = dhcpv6-client keep state (if-bound) label "descr=allow dhcpv6 client in WAN" ridentifier 1000000464
pass out quick on em0 proto udp from any port = dhcpv6-client to any port = dhcpv6-server keep state (if-bound) label "descr=allow dhcpv6 client out WAN" ridentifier 1000000465
block drop in log quick on em0 from <bogons> to any label "descr=block bogon IPv4 networks from WAN" ridentifier 11001
block drop in log quick on em0 from <bogonsv6> to any label "descr=block bogon IPv6 networks from WAN" ridentifier 11002
block drop in log on ! em0 inet6 from 2a07:7e84:1000:19a1::/64 to any ridentifier 1000001470
block drop in log on em0 inet6 from fe80::a00:27ff:feba:b855 to any ridentifier 1000001470
block drop in log inet6 from 2a07:7e84:1000:19a1:a00:27ff:feba:b855 to any ridentifier 1000001470
block drop in log inet6 from 2a07:7e84:1000:19a1::3000 to any ridentifier 1000001470
block drop in log on ! em0 inet from 192.168.254.0/24 to any ridentifier 1000001470
block drop in log inet from 192.168.254.26 to any ridentifier 1000001470
pass in on lo0 inet all flags S/SA keep state (if-bound) label "descr=pass IPv4 loopback" ridentifier 1000002561
pass out on lo0 inet all flags S/SA keep state (if-bound) label "descr=pass IPv4 loopback" ridentifier 1000002562
pass in on lo0 inet6 all flags S/SA keep state (if-bound) label "descr=pass IPv6 loopback" ridentifier 1000002563
pass out on lo0 inet6 all flags S/SA keep state (if-bound) label "descr=pass IPv6 loopback" ridentifier 1000002564
pass out inet all flags S/SA keep state (if-bound) allow-opts label "descr=let out anything IPv4 from firewall host itself" ridentifier 1000002565
pass out inet6 all flags S/SA keep state (if-bound) allow-opts label "descr=let out anything IPv6 from firewall host itself" ridentifier 1000002566
pass out route-to (em0 192.168.254.10) inet from 192.168.254.26 to ! 192.168.254.0/24 flags S/SA keep state (if-bound) allow-opts label "descr=let out anything from firewall host itself" ridentifier 1000002661
pass out route-to (em0 fe80::92ec:77ff:fe1d:13ee) inet6 from 2a07:7e84:1000:19a1::3000 to ! 2a07:7e84:1000:19a1::/64 flags S/SA keep state (if-bound) allow-opts label "descr=let out anything from firewall host itself" ridentifier 1000002662
pass in quick on em0 proto tcp from any to (em0) port = https flags S/SA keep state (if-bound) label "descr=anti-lockout rule" ridentifier 10001
pass in quick on em0 proto tcp from any to (em0) port = http flags S/SA keep state (if-bound) label "descr=anti-lockout rule" ridentifier 10001
anchor "userrules/*" all
pass in quick on em0 reply-to (em0 192.168.254.10) inet all flags S/SA keep state (if-bound) label "id=1766393690" label "tags=user_rule" ridentifier 1766393690
pass in quick on em0 reply-to (em0 192.168.254.10) inet proto tcp all flags S/SA keep state (if-bound) label "id=1766393877" label "tags=user_rule" label "descr=test" ridentifier 1766393877
anchor "tftp-proxy/*" all
No queue in use

STATES:
em0 tcp 192.168.254.26:443 <- 192.168.2.100:32717       FIN_WAIT_2:FIN_WAIT_2
em0 tcp 192.168.254.26:443 <- 192.168.2.100:32718       FIN_WAIT_2:FIN_WAIT_2
em0 tcp 192.168.254.26:443 <- 192.168.2.100:32723       FIN_WAIT_2:FIN_WAIT_2
em0 tcp 192.168.254.26:443 <- 192.168.2.100:32724       FIN_WAIT_2:FIN_WAIT_2
em0 tcp 192.168.254.26:443 <- 192.168.2.100:32725       ESTABLISHED:ESTABLISHED
lo0 udp 127.0.0.1:27984 -> 127.0.0.1:53       SINGLE:NO_TRAFFIC
lo0 udp 127.0.0.1:53 <- 127.0.0.1:27984       NO_TRAFFIC:SINGLE
em0 udp 2a07:7e84:1000:19a1:a00:27ff:feba:b855[41360] -> 2610:160:11:11::90[53]       SINGLE:NO_TRAFFIC
em0 udp 2a07:7e84:1000:19a1:a00:27ff:feba:b855[55684] -> 2610:160:11:11::90[53]       SINGLE:NO_TRAFFIC
em0 udp 2a07:7e84:1000:19a1:a00:27ff:feba:b855[37958] -> 2610:160:11:11::90[53]       SINGLE:NO_TRAFFIC
lo0 udp 127.0.0.1:39440 -> 127.0.0.1:53       SINGLE:NO_TRAFFIC
lo0 udp 127.0.0.1:53 <- 127.0.0.1:39440       NO_TRAFFIC:SINGLE
em0 udp 2a07:7e84:1000:19a1:a00:27ff:feba:b855[12866] -> 2610:160:11:11::80[53]       SINGLE:NO_TRAFFIC
em0 udp 2a07:7e84:1000:19a1:a00:27ff:feba:b855[46742] -> 2610:160:11:11::80[53]       SINGLE:NO_TRAFFIC
em0 udp 2a07:7e84:1000:19a1:a00:27ff:feba:b855[34691] -> 2610:160:11:11::90[53]       SINGLE:NO_TRAFFIC
em0 udp 2a07:7e84:1000:19a1:a00:27ff:feba:b855[57618] -> 2600:1f10:4c5e:6701:e4b2:c059:13c5:64fb[53]       SINGLE:NO_TRAFFIC
em0 udp 2a07:7e84:1000:19a1:a00:27ff:feba:b855[16536] -> 2600:1f10:4c5e:6701:e4b2:c059:13c5:64fb[53]       SINGLE:NO_TRAFFIC
em0 udp 2a07:7e84:1000:19a1:a00:27ff:feba:b855[60070] -> 2600:1f10:4c5e:6701:e4b2:c059:13c5:64fb[53]       SINGLE:NO_TRAFFIC
em0 udp 2a07:7e84:1000:19a1:a00:27ff:feba:b855[58926] -> 2600:1f10:4c5e:6701:e4b2:c059:13c5:64fb[53]       SINGLE:NO_TRAFFIC
em0 udp 2a07:7e84:1000:19a1:a00:27ff:feba:b855[42264] -> 2610:160:11:11::80[53]       SINGLE:NO_TRAFFIC
em0 udp 2a07:7e84:1000:19a1:a00:27ff:feba:b855[19650] -> 2610:160:11:11::80[53]       SINGLE:NO_TRAFFIC
em0 udp 2a07:7e84:1000:19a1:a00:27ff:feba:b855[123] -> 2a00:6d41:200:2::13[123]       SINGLE:NO_TRAFFIC
em0 tcp 192.168.254.26:443 <- 192.168.254.25:54784       FIN_WAIT_2:FIN_WAIT_2
em0 icmp 192.168.254.26:1400 -> 192.168.254.10:8       0:0
em0 ipv6-icmp fe80::a00:27ff:feba:b855[1685] -> fe80::92ec:77ff:fe1d:13ee[128]       NO_TRAFFIC:NO_TRAFFIC
em0 ipv6-icmp fe80::a00:27ff:feba:b855[135] <- fe80::92ec:77ff:fe1d:13ee       NO_TRAFFIC:NO_TRAFFIC

INFO:
Status: Enabled for 0 days 00:46:09           Debug: Urgent

Interface Stats for em0               IPv4             IPv6
  Bytes In                               0                0
  Bytes Out                              0                0
  Packets In
    Passed                           10662                0
    Blocked                              4                0
  Packets Out
    Passed                               0             6149
    Blocked                          12787                0

State Table                          Total             Rate
  current entries                       26               
  searches                           36212           13.1/s
  inserts                             1300            0.5/s
  removals                            1274            0.5/s
Counters
  match                               1306            0.5/s
  bad-offset                             0            0.0/s
  fragment                               0            0.0/s
  short                                  0            0.0/s
  normalize                              0            0.0/s
  memory                                 0            0.0/s
  bad-timestamp                          0            0.0/s
  congestion                             0            0.0/s
  ip-option                              0            0.0/s
  proto-cksum                            0            0.0/s
  state-mismatch                         0            0.0/s
  state-insert                           0            0.0/s
  state-limit                            0            0.0/s
  src-limit                              0            0.0/s
  synproxy                               0            0.0/s
  map-failed                             0            0.0/s
  translate                              0            0.0/s

LABEL COUNTERS:
descr=Block NAT64 for non-global IPv4 1306 0 0 0 0 0 0 0
descr=Block NAT64 for non-global IPv4 1000 0 0 0 0 0 0 0
descr=Block IPv4 link-local 1306 0 0 0 0 0 0 0
descr=Block IPv4 link-local 125 0 0 0 0 0 0 0
descr=Default deny rule IPv4 tags=ruleset:647b5dca09b1fa1f 0 0 0 0 0 0 0 0
descr=Default deny rule IPv4 tags=ruleset:647b5dca09b1fa1f 0 0 0 0 0 0 0 0
descr=Default deny rule IPv6 tags=ruleset:647b5dca09b1fa1f 1 0 0 0 0 0 0 0
descr=Default deny rule IPv6 tags=ruleset:647b5dca09b1fa1f 1 0 0 0 0 0 0 0
descr=Block traffic from port 0 1057 0 0 0 0 0 0 0
descr=Block traffic from port 0 530 0 0 0 0 0 0 0
descr=Block traffic to port 0 594 0 0 0 0 0 0 0
descr=Block traffic to port 0 530 0 0 0 0 0 0 0
descr=Block traffic from port 0 1057 0 0 0 0 0 0 0
descr=Block traffic from port 0 439 0 0 0 0 0 0 0
descr=Block traffic to port 0 463 0 0 0 0 0 0 0
descr=Block traffic to port 0 439 0 0 0 0 0 0 0
descr=Block snort2c hosts 1057 0 0 0 0 0 0 0
descr=Block snort2c hosts 1057 0 0 0 0 0 0 0
descr=sshguard 1057 0 0 0 0 0 0 0
descr=GUI Lockout 0 0 0 0 0 0 0 0
descr=virusprot overload table 185 0 0 0 0 0 0 0
descr=Prevent routing dhcp responses 1057 0 0 0 0 0 0 0
descr=allow dhcp replies in WAN 185 2 635 2 635 0 0 0
descr=allow dhcp client out WAN 802 0 0 0 0 0 0 0
descr=allow dhcpv6 client in WAN 700 0 0 0 0 0 0 0
descr=allow dhcpv6 client in WAN 27 24 4420 24 4420 0 0 0
descr=allow dhcpv6 client out WAN 677 24 2462 0 0 24 2462 0
descr=block bogon IPv4 networks from WAN 776 4 1312 4 1312 0 0 0
descr=block bogon IPv6 networks from WAN 25 0 0 0 0 0 0 0
descr=pass IPv4 loopback 120 176 15453 94 6613 82 8840 0
descr=pass IPv4 loopback 943 0 0 0 0 0 0 0
descr=pass IPv6 loopback 239 55 6470 41 4232 14 2238 0
descr=pass IPv6 loopback 145 0 0 0 0 0 0 0
descr=let out anything IPv4 from firewall host itself 968 5504 170220 2746 86270 2758 83950 0
descr=let out anything IPv6 from firewall host itself 849 5713 312356 2854 162008 2859 150348 0
descr=let out anything from firewall host itself 849 4901 3020510 2398 2799625 2503 220885 0
descr=let out anything from firewall host itself 478 0 0 0 0 0 0 0
descr=anti-lockout rule 1001 6894 5612297 2510 370770 4384 5241527 0
descr=anti-lockout rule 0 0 0 0 0 0 0 0
id=1766393690 tags=user_rule 564 0 0 0 0 0 0 0
id=1766393877 tags=user_rule descr=test 0 0 0 0 0 0 0 0

TIMEOUTS:
tcp.first                   120s
tcp.opening                  30s
tcp.established           86400s
tcp.closing                 900s
tcp.finwait                  45s
tcp.closed                   90s
tcp.tsdiff                   30s
sctp.first                  120s
sctp.opening                 30s
sctp.established          86400s
sctp.closing                900s
sctp.closed                  90s
udp.first                    60s
udp.single                   30s
udp.multiple                 60s
icmp.first                   20s
icmp.error                   10s
other.first                  60s
other.single                 30s
other.multiple               60s
frag                         60s
interval                     10s
adaptive.start           241200 states
adaptive.end             482400 states
src.track                     0s

LIMITS:
states        hard limit   402000
src-nodes     hard limit   402000
frags         hard limit     5000
table-entries hard limit   400000
anchors       hard limit      512
eth-anchors   hard limit        0

TABLES:
WAN__NETWORK
WIREGUARD__NETWORK
_nat64reserved_
bogons
bogonsv6
snort2c
sshguard
virusprot

OS FINGERPRINTS:
762 fingerprints loaded
