TRANSLATION RULES: no nat proto carp all nat-anchor "natearly/*" all nat-anchor "natrules/*" all nat on re1 inet from to any port = isakmp -> 78.226.49.193 static-port nat on re1 inet from to any -> 78.226.49.193 static-port nat on re0 inet from 127.0.0.0/8 to any port = isakmp -> (re0) round-robin static-port nat on re0 inet from 127.0.0.0/8 to any -> (re0) port 1024:65535 round-robin nat on re1 inet from 127.0.0.0/8 to any port = isakmp -> 78.226.49.193 static-port nat on re1 inet from 127.0.0.0/8 to any -> 78.226.49.193 port 1024:65535 nat on re0 inet6 from ::1 to any port = isakmp -> (re0) round-robin static-port nat on re0 inet6 from ::1 to any -> (re0) port 1024:65535 round-robin nat on re1 inet6 from ::1 to any port = isakmp -> (re1) round-robin static-port nat on re1 inet6 from ::1 to any -> (re1) port 1024:65535 round-robin nat on re0 inet from 192.168.10.0/24 to any port = isakmp -> (re0) round-robin static-port nat on re0 inet from 192.168.10.0/24 to any -> (re0) port 1024:65535 round-robin nat on re1 inet from 192.168.10.0/24 to any port = isakmp -> 78.226.49.193 static-port nat on re1 inet from 192.168.10.0/24 to any -> 78.226.49.193 port 1024:65535 nat on re0 inet from to any port = isakmp -> (re0) round-robin static-port nat on re0 inet6 from to any port = isakmp -> (re0) round-robin static-port nat on re0 inet from to any -> (re0) port 1024:65535 round-robin nat on re0 inet6 from to any -> (re0) port 1024:65535 round-robin nat on re1 inet from to any port = isakmp -> 78.226.49.193 static-port nat on re1 inet6 from to any port = isakmp -> (re1) round-robin static-port nat on re1 inet from to any -> 78.226.49.193 port 1024:65535 nat on re1 inet6 from to any -> (re1) port 1024:65535 round-robin no rdr proto carp all rdr-anchor "relayd/*" all rdr-anchor "tftp-proxy/*" all rdr on re1 inet proto tcp from any to 78.226.49.193 port = smtp -> round-robin rdr on ue0 inet proto tcp from any to 78.226.49.193 port = smtp -> round-robin rdr on openvpn inet proto tcp from any to 78.226.49.193 port = smtp -> round-robin rdr on re1 inet proto tcp from any to 78.226.49.193 port = smtps -> round-robin rdr on ue0 inet proto tcp from any to 78.226.49.193 port = smtps -> round-robin rdr on openvpn inet proto tcp from any to 78.226.49.193 port = smtps -> round-robin rdr on re1 inet proto tcp from any to 78.226.49.193 port = submission -> round-robin rdr on ue0 inet proto tcp from any to 78.226.49.193 port = submission -> round-robin rdr on openvpn inet proto tcp from any to 78.226.49.193 port = submission -> round-robin rdr on re1 inet proto tcp from any to 78.226.49.193 port = imap -> round-robin rdr on ue0 inet proto tcp from any to 78.226.49.193 port = imap -> round-robin rdr on openvpn inet proto tcp from any to 78.226.49.193 port = imap -> round-robin rdr on re1 inet proto tcp from any to 78.226.49.193 port = imaps -> round-robin rdr on ue0 inet proto tcp from any to 78.226.49.193 port = imaps -> round-robin rdr on openvpn inet proto tcp from any to 78.226.49.193 port = imaps -> round-robin rdr-anchor "miniupnpd" all FILTER RULES: scrub on re0 all fragment reassemble scrub on ue0 all fragment reassemble scrub on re1 all fragment reassemble anchor "relayd/*" all anchor "openvpn/*" all anchor "ipsec/*" all block drop in log quick inet from 169.254.0.0/16 to any label "Block IPv4 link-local" block drop in log quick inet from any to 169.254.0.0/16 label "Block IPv4 link-local" block drop in log inet all label "Default deny rule IPv4" block drop out log inet all label "Default deny rule IPv4" block drop in log inet6 all label "Default deny rule IPv6" block drop out log inet6 all label "Default deny rule IPv6" pass quick inet6 proto ipv6-icmp all icmp6-type unreach keep state pass quick inet6 proto ipv6-icmp all icmp6-type toobig keep state pass quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state pass quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep state pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echorep keep state pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echorep keep state pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type echoreq keep state pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routersol keep state pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routeradv keep state pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbrsol keep state pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbradv keep state pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echoreq keep state pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type echoreq keep state pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type routersol keep state pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type routeradv keep state pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type neighbrsol keep state pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type neighbradv keep state block drop log quick inet proto tcp from any port = 0 to any label "Block traffic from port 0" block drop log quick inet proto udp from any port = 0 to any label "Block traffic from port 0" block drop log quick inet proto tcp from any to any port = 0 label "Block traffic to port 0" block drop log quick inet proto udp from any to any port = 0 label "Block traffic to port 0" block drop log quick inet6 proto tcp from any port = 0 to any label "Block traffic from port 0" block drop log quick inet6 proto udp from any port = 0 to any label "Block traffic from port 0" block drop log quick inet6 proto tcp from any to any port = 0 label "Block traffic to port 0" block drop log quick inet6 proto udp from any to any port = 0 label "Block traffic to port 0" block drop log quick from to any label "Block snort2c hosts" block drop log quick from any to label "Block snort2c hosts" block drop in log quick proto tcp from to (self) port = ssh label "sshguard" block drop in log quick proto tcp from to (self) port = https label "webConfiguratorlockout" block drop in log quick from to any label "virusprot overload table" pass in quick on re0 proto udp from any port = bootps to any port = bootpc keep state label "allow dhcp client out WAN4G" pass out quick on re0 proto udp from any port = bootpc to any port = bootps keep state label "allow dhcp client out WAN4G" block drop in log on ! ue0 inet from 192.168.10.0/24 to any block drop in log inet from 192.168.10.1 to any block drop in log on ue0 inet6 from fe80::a2ce:c8ff:fe04:16e8 to any pass in quick on ue0 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server" pass in quick on ue0 inet proto udp from any port = bootpc to 192.168.10.1 port = bootps keep state label "allow access to DHCP server" pass out quick on ue0 inet proto udp from 192.168.10.1 port = bootps to any port = bootpc keep state label "allow access to DHCP server" pass in quick on re1 proto udp from any port = bootps to any port = bootpc keep state label "allow dhcp client out WANADSL" pass out quick on re1 proto udp from any port = bootpc to any port = bootps keep state label "allow dhcp client out WANADSL" block drop in log on ! re1 inet from 78.226.49.0/24 to any block drop in log inet from 78.226.49.193 to any block drop in log on re1 inet6 from fe80::2e0:4cff:fe68:110e to any pass in on lo0 inet all flags S/SA keep state label "pass IPv4 loopback" pass out on lo0 inet all flags S/SA keep state label "pass IPv4 loopback" pass in on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback" pass out on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback" pass out inet all flags S/SA keep state allow-opts label "let out anything IPv4 from firewall host itself" pass out inet6 all flags S/SA keep state allow-opts label "let out anything IPv6 from firewall host itself" pass out route-to (re1 78.226.49.254) inet from 78.226.49.193 to ! 78.226.49.0/24 flags S/SA keep state allow-opts label "let out anything from firewall host itself" pass in quick on ue0 proto tcp from any to (ue0) port = https flags S/SA keep state label "anti-lockout rule" pass in quick on ue0 proto tcp from any to (ue0) port = http flags S/SA keep state label "anti-lockout rule" pass in quick on ue0 proto tcp from any to (ue0) port = ssh flags S/SA keep state label "anti-lockout rule" pass in inet all flags S/SA keep state label "NAT REFLECT: Allow traffic to localhost" tagged PFREFLECT anchor "userrules/*" all pass quick on ue0 inet from 78.226.49.42 to any flags S/SA keep state label "USER_RULE" pass quick on re1 inet from 78.226.49.42 to any flags S/SA keep state label "USER_RULE" pass in quick on openvpn inet all flags S/SA keep state label "USER_RULE" pass in quick on ue0 inet from 192.168.10.0/24 to flags S/SA keep state label "USER_RULE" pass in quick on ue0 inet from any to flags S/SA keep state label "NEGATE_ROUTE: Negate policy routing for destination" pass in quick on ue0 route-to (re1 78.226.49.254) inet all flags S/SA keep state label "USER_RULE: Default allow LAN to any rule" pass in quick on ue0 inet6 all flags S/SA keep state label "USER_RULE: Default allow LAN IPv6 to any rule" pass in quick on re1 reply-to (re1 78.226.49.254) inet proto tcp from any to any port = https flags S/SA keep state label "USER_RULE" pass in log quick on re1 reply-to (re1 78.226.49.254) inet proto tcp from any to port = smtp flags S/SA keep state label "USER_RULE: NAT" pass in log quick on re1 reply-to (re1 78.226.49.254) inet proto tcp from any to port = smtps flags S/SA keep state label "USER_RULE: NAT" pass in log quick on re1 reply-to (re1 78.226.49.254) inet proto tcp from any to port = submission flags S/SA keep state label "USER_RULE: NAT" pass in log quick on re1 reply-to (re1 78.226.49.254) inet proto tcp from any to port = imap flags S/SA keep state label "USER_RULE: NAT" pass in log quick on re1 reply-to (re1 78.226.49.254) inet proto tcp from any to port = imaps flags S/SA keep state label "USER_RULE: NAT" anchor "tftp-proxy/*" all anchor "miniupnpd" all No queue in use