TRANSLATION RULES:
no nat proto carp all
nat-anchor "natearly/*" all
nat-anchor "natrules/*" all
nat on em0 inet from 127.0.0.0/8 to any port = isakmp -> 192.168.254.25 static-port
nat on em0 inet6 from ::1 to any port = isakmp -> 2a07:7e84:1000:19a1::3001 static-port
nat on em0 inet from 127.0.0.0/8 to any -> 192.168.254.25 port 1024:65535
nat on em0 inet6 from ::1 to any -> 2a07:7e84:1000:19a1::3001 port 1024:65535
no rdr proto carp all
rdr-anchor "tftp-proxy/*" all

FILTER RULES:
scrub from any to <vpn_networks> fragment no reassemble
scrub from <vpn_networks> to any fragment no reassemble
scrub on em0 inet all fragment reassemble
scrub on em0 inet6 all fragment reassemble
anchor "openvpn/*" all
anchor "ipsec/*" all
block drop in log quick inet6 from any to <_nat64reserved_> label "descr=Block NAT64 for non-global IPv4" ridentifier 1000000001
block drop out log quick inet6 from any to <_nat64reserved_> label "descr=Block NAT64 for non-global IPv4" ridentifier 1000000002
block drop in log quick inet from 169.254.0.0/16 to any label "descr=Block IPv4 link-local" ridentifier 1000000101
block drop in log quick inet from any to 169.254.0.0/16 label "descr=Block IPv4 link-local" ridentifier 1000000102
block drop in log inet all label "descr=Default deny rule IPv4" label "tags=ruleset:5e585a53bdd3890f" ridentifier 1000000103
block drop out log inet all label "descr=Default deny rule IPv4" label "tags=ruleset:5e585a53bdd3890f" ridentifier 1000000104
block drop in log inet6 all label "descr=Default deny rule IPv6" label "tags=ruleset:5e585a53bdd3890f" ridentifier 1000000105
block drop out log inet6 all label "descr=Default deny rule IPv6" label "tags=ruleset:5e585a53bdd3890f" ridentifier 1000000106
pass quick inet6 proto ipv6-icmp all icmp6-type unreach keep state (if-bound) ridentifier 1000000107
pass quick inet6 proto ipv6-icmp all icmp6-type toobig keep state (if-bound) ridentifier 1000000107
pass quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state (if-bound) ridentifier 1000000107
pass quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep state (if-bound) ridentifier 1000000107
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echorep keep state (if-bound) ridentifier 1000000108
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state (if-bound) ridentifier 1000000108
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state (if-bound) ridentifier 1000000108
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state (if-bound) ridentifier 1000000108
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state (if-bound) ridentifier 1000000108
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echorep keep state (if-bound) ridentifier 1000000109
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state (if-bound) ridentifier 1000000109
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state (if-bound) ridentifier 1000000109
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state (if-bound) ridentifier 1000000109
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state (if-bound) ridentifier 1000000109
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state (if-bound) ridentifier 1000000110
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state (if-bound) ridentifier 1000000110
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state (if-bound) ridentifier 1000000110
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state (if-bound) ridentifier 1000000110
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state (if-bound) ridentifier 1000000110
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type echoreq keep state (if-bound) ridentifier 1000000111
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routersol keep state (if-bound) ridentifier 1000000111
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routeradv keep state (if-bound) ridentifier 1000000111
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbrsol keep state (if-bound) ridentifier 1000000111
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbradv keep state (if-bound) ridentifier 1000000111
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echoreq keep state (if-bound) ridentifier 1000000112
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state (if-bound) ridentifier 1000000112
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state (if-bound) ridentifier 1000000112
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state (if-bound) ridentifier 1000000112
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state (if-bound) ridentifier 1000000112
pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type echoreq keep state (if-bound) ridentifier 1000000113
pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type routersol keep state (if-bound) ridentifier 1000000113
pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type routeradv keep state (if-bound) ridentifier 1000000113
pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type neighbrsol keep state (if-bound) ridentifier 1000000113
pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type neighbradv keep state (if-bound) ridentifier 1000000113
block drop log quick inet proto tcp from any port = 0 to any label "descr=Block traffic from port 0" ridentifier 1000000114
block drop log quick inet proto udp from any port = 0 to any label "descr=Block traffic from port 0" ridentifier 1000000114
block drop log quick inet proto tcp from any to any port = 0 label "descr=Block traffic to port 0" ridentifier 1000000115
block drop log quick inet proto udp from any to any port = 0 label "descr=Block traffic to port 0" ridentifier 1000000115
block drop log quick inet6 proto tcp from any port = 0 to any label "descr=Block traffic from port 0" ridentifier 1000000116
block drop log quick inet6 proto udp from any port = 0 to any label "descr=Block traffic from port 0" ridentifier 1000000116
block drop log quick inet6 proto tcp from any to any port = 0 label "descr=Block traffic to port 0" ridentifier 1000000117
block drop log quick inet6 proto udp from any to any port = 0 label "descr=Block traffic to port 0" ridentifier 1000000117
block drop log quick from <snort2c> to any label "descr=Block snort2c hosts" ridentifier 1000000118
block drop log quick from any to <snort2c> label "descr=Block snort2c hosts" ridentifier 1000000119
block drop in log quick proto tcp from <sshguard> to (self) port = ssh label "descr=sshguard" ridentifier 1000000301
block drop in log quick proto tcp from <sshguard> to (self) port = https label "descr=GUI Lockout" ridentifier 1000000351
block drop in log quick from <virusprot> to any label "descr=virusprot overload table" ridentifier 1000000400
block drop out quick proto udp from any port = bootps to any port = bootpc label "descr=Prevent routing dhcp responses" ridentifier 1000000451 tagged dhcpin
pass in quick on em0 proto udp from any port = bootps to any port = bootpc no state label "descr=allow dhcp replies in WAN" ridentifier 1000000461 tag dhcpin
pass out quick on em0 proto udp from any port = bootpc to any port = bootps no state label "descr=allow dhcp client out WAN" ridentifier 1000000462
pass in quick on em0 inet6 proto udp from fe80::/10 port = dhcpv6-client to fe80::/10 port = dhcpv6-client keep state (if-bound) label "descr=allow dhcpv6 client in WAN" ridentifier 1000000463
pass in quick on em0 proto udp from any port = dhcpv6-server to any port = dhcpv6-client keep state (if-bound) label "descr=allow dhcpv6 client in WAN" ridentifier 1000000464
pass out quick on em0 proto udp from any port = dhcpv6-client to any port = dhcpv6-server keep state (if-bound) label "descr=allow dhcpv6 client out WAN" ridentifier 1000000465
block drop in log quick on em0 from <bogons> to any label "descr=block bogon IPv4 networks from WAN" ridentifier 11001
block drop in log quick on em0 from <bogonsv6> to any label "descr=block bogon IPv6 networks from WAN" ridentifier 11002
block drop in log on ! em0 inet6 from 2a07:7e84:1000:19a1::/64 to any ridentifier 1000001470
block drop in log on em0 inet6 from fe80::a00:27ff:fed4:3e55 to any ridentifier 1000001470
block drop in log inet6 from 2a07:7e84:1000:19a1:a00:27ff:fed4:3e55 to any ridentifier 1000001470
block drop in log inet6 from 2a07:7e84:1000:19a1::3001 to any ridentifier 1000001470
block drop in log on ! em0 inet from 192.168.254.0/24 to any ridentifier 1000001470
block drop in log inet from 192.168.254.25 to any ridentifier 1000001470
pass in on lo0 inet all flags S/SA keep state (if-bound) label "descr=pass IPv4 loopback" ridentifier 1000002561
pass out on lo0 inet all flags S/SA keep state (if-bound) label "descr=pass IPv4 loopback" ridentifier 1000002562
pass in on lo0 inet6 all flags S/SA keep state (if-bound) label "descr=pass IPv6 loopback" ridentifier 1000002563
pass out on lo0 inet6 all flags S/SA keep state (if-bound) label "descr=pass IPv6 loopback" ridentifier 1000002564
pass out inet all flags S/SA keep state (if-bound) allow-opts label "descr=let out anything IPv4 from firewall host itself" ridentifier 1000002565
pass out inet6 all flags S/SA keep state (if-bound) allow-opts label "descr=let out anything IPv6 from firewall host itself" ridentifier 1000002566
pass out route-to (em0 192.168.254.10) inet from 192.168.254.25 to ! 192.168.254.0/24 flags S/SA keep state (if-bound) allow-opts label "descr=let out anything from firewall host itself" ridentifier 1000002661
pass out route-to (em0 fe80::92ec:77ff:fe1d:13ee) inet6 from 2a07:7e84:1000:19a1::3001 to ! 2a07:7e84:1000:19a1::/64 flags S/SA keep state (if-bound) allow-opts label "descr=let out anything from firewall host itself" ridentifier 1000002662
pass in quick on em0 proto tcp from any to (em0) port = https flags S/SA keep state (if-bound) label "descr=anti-lockout rule" ridentifier 10001
pass in quick on em0 proto tcp from any to (em0) port = http flags S/SA keep state (if-bound) label "descr=anti-lockout rule" ridentifier 10001
anchor "userrules/*" all
pass in quick on em0 reply-to (em0 192.168.254.10) inet all flags S/SA keep state (if-bound) label "id=1766393690" label "tags=user_rule" ridentifier 1766393690
pass in quick on em0 reply-to (em0 192.168.254.10) inet proto tcp all flags S/SA keep state (if-bound) label "id=1766393877" label "tags=user_rule" label "descr=test" ridentifier 1766393877
anchor "tftp-proxy/*" all
No queue in use

STATES:
em0 icmp 192.168.254.25:27265 -> 192.168.254.10:8       0:0
em0 ipv6-icmp fe80::a00:27ff:fed4:3e55[27613] -> fe80::92ec:77ff:fe1d:13ee[128]       NO_TRAFFIC:NO_TRAFFIC
em0 tcp 192.168.254.25:443 <- 192.168.254.20:30416       FIN_WAIT_2:FIN_WAIT_2
em0 tcp 192.168.254.25:443 <- 192.168.2.100:32691       FIN_WAIT_2:FIN_WAIT_2
em0 tcp 192.168.254.25:443 <- 192.168.2.100:32692       FIN_WAIT_2:FIN_WAIT_2
em0 tcp 192.168.254.25:443 <- 192.168.2.100:32701       FIN_WAIT_2:FIN_WAIT_2
em0 tcp 192.168.254.25:443 <- 192.168.2.100:32702       FIN_WAIT_2:FIN_WAIT_2
em0 tcp 192.168.254.25:443 <- 192.168.2.100:32703       ESTABLISHED:ESTABLISHED
lo0 udp 127.0.0.1:20844 -> 127.0.0.1:53       SINGLE:NO_TRAFFIC
lo0 udp 127.0.0.1:53 <- 127.0.0.1:20844       NO_TRAFFIC:SINGLE
em0 udp 2a07:7e84:1000:19a1:a00:27ff:fed4:3e55[40089] -> 2600:1f10:4c5e:6701:e4b2:c059:13c5:64fb[53]       SINGLE:NO_TRAFFIC
em0 udp 2a07:7e84:1000:19a1:a00:27ff:fed4:3e55[57671] -> 2600:1f10:4c5e:6701:e4b2:c059:13c5:64fb[53]       SINGLE:NO_TRAFFIC
em0 udp 2a07:7e84:1000:19a1:a00:27ff:fed4:3e55[28180] -> 2610:160:11:11::90[53]       SINGLE:NO_TRAFFIC
em0 udp 2a07:7e84:1000:19a1:a00:27ff:fed4:3e55[41103] -> 2610:160:11:11::90[53]       SINGLE:NO_TRAFFIC
em0 udp 2a07:7e84:1000:19a1:a00:27ff:fed4:3e55[51452] -> 2610:160:11:11::80[53]       SINGLE:NO_TRAFFIC
em0 udp 2a07:7e84:1000:19a1:a00:27ff:fed4:3e55[8441] -> 2610:160:11:11::80[53]       SINGLE:NO_TRAFFIC
em0 udp 2a07:7e84:1000:19a1:a00:27ff:fed4:3e55[13812] -> 2610:160:11:11::90[53]       SINGLE:NO_TRAFFIC
em0 udp 2a07:7e84:1000:19a1:a00:27ff:fed4:3e55[7755] -> 2610:160:11:11::90[53]       SINGLE:NO_TRAFFIC
em0 udp 2a07:7e84:1000:19a1:a00:27ff:fed4:3e55[123] -> 2a01:7e0:0:620::13[123]       SINGLE:NO_TRAFFIC
em0 tcp 192.168.254.25:54784 -> 192.168.254.26:443       FIN_WAIT_2:FIN_WAIT_2

INFO:
Status: Enabled for 0 days 00:46:05           Debug: Urgent

Interface Stats for em0               IPv4             IPv6
  Bytes In                               0                0
  Bytes Out                              0                0
  Packets In
    Passed                           11063                0
    Blocked                              2                0
  Packets Out
    Passed                               0             6154
    Blocked                          13515                0

State Table                          Total             Rate
  current entries                       20               
  searches                           37277           13.5/s
  inserts                             1289            0.5/s
  removals                            1269            0.5/s
Counters
  match                               1293            0.5/s
  bad-offset                             0            0.0/s
  fragment                               0            0.0/s
  short                                  0            0.0/s
  normalize                              0            0.0/s
  memory                                 0            0.0/s
  bad-timestamp                          0            0.0/s
  congestion                             0            0.0/s
  ip-option                              0            0.0/s
  proto-cksum                            0            0.0/s
  state-mismatch                         0            0.0/s
  state-insert                           0            0.0/s
  state-limit                            0            0.0/s
  src-limit                              0            0.0/s
  synproxy                               0            0.0/s
  map-failed                             0            0.0/s
  translate                              0            0.0/s

LABEL COUNTERS:
descr=Block NAT64 for non-global IPv4 1293 0 0 0 0 0 0 0
descr=Block NAT64 for non-global IPv4 1015 0 0 0 0 0 0 0
descr=Block IPv4 link-local 1293 0 0 0 0 0 0 0
descr=Block IPv4 link-local 106 0 0 0 0 0 0 0
descr=Default deny rule IPv4 tags=ruleset:5e585a53bdd3890f 61 0 0 0 0 0 0 0
descr=Default deny rule IPv4 tags=ruleset:5e585a53bdd3890f 622 0 0 0 0 0 0 0
descr=Default deny rule IPv6 tags=ruleset:5e585a53bdd3890f 768 0 0 0 0 0 0 0
descr=Default deny rule IPv6 tags=ruleset:5e585a53bdd3890f 707 0 0 0 0 0 0 0
descr=Block traffic from port 0 1039 0 0 0 0 0 0 0
descr=Block traffic from port 0 544 0 0 0 0 0 0 0
descr=Block traffic to port 0 608 0 0 0 0 0 0 0
descr=Block traffic to port 0 544 0 0 0 0 0 0 0
descr=Block traffic from port 0 1039 0 0 0 0 0 0 0
descr=Block traffic from port 0 418 0 0 0 0 0 0 0
descr=Block traffic to port 0 431 0 0 0 0 0 0 0
descr=Block traffic to port 0 418 0 0 0 0 0 0 0
descr=Block snort2c hosts 1039 0 0 0 0 0 0 0
descr=Block snort2c hosts 1039 0 0 0 0 0 0 0
descr=sshguard 1039 0 0 0 0 0 0 0
descr=GUI Lockout 0 0 0 0 0 0 0 0
descr=virusprot overload table 159 0 0 0 0 0 0 0
descr=Prevent routing dhcp responses 1039 0 0 0 0 0 0 0
descr=allow dhcp replies in WAN 159 2 635 2 635 0 0 0
descr=allow dhcp client out WAN 841 0 0 0 0 0 0 0
descr=allow dhcpv6 client in WAN 760 0 0 0 0 0 0 0
descr=allow dhcpv6 client in WAN 24 23 4237 23 4237 0 0 20
descr=allow dhcpv6 client out WAN 738 23 2362 0 0 23 2362 20
descr=block bogon IPv4 networks from WAN 803 2 656 2 656 0 0 0
descr=block bogon IPv6 networks from WAN 24 0 0 0 0 0 0 0
descr=pass IPv4 loopback 103 147 13794 79 5522 68 8272 44
descr=pass IPv4 loopback 936 0 0 0 0 0 0 0
descr=pass IPv6 loopback 196 41 4238 33 3317 8 921 25
descr=pass IPv6 loopback 118 0 0 0 0 0 0 0
descr=let out anything IPv4 from firewall host itself 960 2881 358471 1431 101384 1450 257087 51
descr=let out anything IPv6 from firewall host itself 858 2425 144196 1209 76283 1216 67913 166
descr=let out anything from firewall host itself 858 1972 866724 952 759638 1020 107086 210
descr=let out anything from firewall host itself 452 0 0 0 0 0 0 0
descr=anti-lockout rule 987 9313 5840876 3682 298627 5631 5542249 17
descr=anti-lockout rule 0 0 0 0 0 0 0 0
id=1766393690 tags=user_rule 525 0 0 0 0 0 0 0
id=1766393877 tags=user_rule descr=test 0 0 0 0 0 0 0 0

TIMEOUTS:
tcp.first                   120s
tcp.opening                  30s
tcp.established           86400s
tcp.closing                 900s
tcp.finwait                  45s
tcp.closed                   90s
tcp.tsdiff                   30s
sctp.first                  120s
sctp.opening                 30s
sctp.established          86400s
sctp.closing                900s
sctp.closed                  90s
udp.first                    60s
udp.single                   30s
udp.multiple                 60s
icmp.first                   20s
icmp.error                   10s
other.first                  60s
other.single                 30s
other.multiple               60s
frag                         60s
interval                     10s
adaptive.start           241200 states
adaptive.end             482400 states
src.track                     0s

LIMITS:
states        hard limit   402000
src-nodes     hard limit   402000
frags         hard limit     5000
table-entries hard limit   400000
anchors       hard limit      512
eth-anchors   hard limit        0

TABLES:
WAN__NETWORK
WIREGUARD__NETWORK
_nat64reserved_
bogons
bogonsv6
snort2c
sshguard
virusprot

OS FINGERPRINTS:
762 fingerprints loaded
