no nat proto carp all
nat-anchor "natearly/*" all
nat-anchor "natrules/*" all
nat on hn0 inet from 127.0.0.0/8 to any port = isakmp -> 138.201.100.138 static-port
nat on hn0 inet from 192.168.1.0/24 to any port = isakmp -> 138.201.100.138 static-port
nat on hn0 inet from 192.168.2.0/24 to any port = isakmp -> 138.201.100.138 static-port
nat on hn0 inet from 127.0.0.0/8 to any -> 138.201.100.138 port 1024:65535
nat on hn0 inet from 192.168.1.0/24 to any -> 138.201.100.138 port 1024:65535
nat on hn0 inet from 192.168.2.0/24 to any -> 138.201.100.138 port 1024:65535
nat on hn3 inet from 127.0.0.0/8 to any port = isakmp -> 148.251.68.211 static-port
nat on hn3 inet from 192.168.1.0/24 to any port = isakmp -> 148.251.68.211 static-port
nat on hn3 inet from 192.168.2.0/24 to any port = isakmp -> 148.251.68.211 static-port
nat on hn3 inet from 127.0.0.0/8 to any -> 148.251.68.211 port 1024:65535
nat on hn3 inet from 192.168.1.0/24 to any -> 148.251.68.211 port 1024:65535
nat on hn3 inet from 192.168.2.0/24 to any -> 148.251.68.211 port 1024:65535
no rdr proto carp all
rdr-anchor "relayd/*" all
rdr-anchor "tftp-proxy/*" all
rdr on hn0 inet proto tcp from any to 138.201.100.138 port = 3390 -> 192.168.1.100 port 3389
rdr on hn0 inet proto tcp from any to 138.201.100.138 port = smtp -> 192.168.1.100
rdr on hn3 inet proto tcp from any to 148.251.68.211 port = smtp -> 192.168.2.100
rdr on hn0 inet proto tcp from any to 138.201.100.138 port = 8093 -> 192.168.1.100
rdr on hn0 inet proto tcp from any to 138.201.100.138 port = pop3s -> 192.168.1.100
rdr on hn1 inet proto tcp from any to 138.201.100.138 port = pop3s tag PFREFLECT -> 127.0.0.1 port 19000
rdr on hn2 inet proto tcp from any to 138.201.100.138 port = pop3s tag PFREFLECT -> 127.0.0.1 port 19000
rdr on hn0 inet proto tcp from any to 138.201.100.138 port = 3395 -> 192.168.1.101 port 3389
rdr-anchor "miniupnpd" all
scrub on hn0 all fragment reassemble
scrub on hn1 all fragment reassemble
scrub on hn2 all fragment reassemble
scrub on hn3 all fragment reassemble
anchor "relayd/*" all
anchor "openvpn/*" all
anchor "ipsec/*" all
block drop in log quick inet from 169.254.0.0/16 to any label "Block IPv4 link-local"
block drop in log quick inet from any to 169.254.0.0/16 label "Block IPv4 link-local"
block drop in log inet all label "Default deny rule IPv4"
block drop out log inet all label "Default deny rule IPv4"
block drop in log inet6 all label "Default deny rule IPv6"
block drop out log inet6 all label "Default deny rule IPv6"
pass quick inet6 proto ipv6-icmp all icmp6-type unreach keep state
pass quick inet6 proto ipv6-icmp all icmp6-type toobig keep state
pass quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state
pass quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echorep keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echorep keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type echoreq keep state
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routersol keep state
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routeradv keep state
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbrsol keep state
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbradv keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echoreq keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state
block drop log quick inet proto tcp from any port = 0 to any label "Block traffic from port 0"
block drop log quick inet proto udp from any port = 0 to any label "Block traffic from port 0"
block drop log quick inet proto tcp from any to any port = 0 label "Block traffic to port 0"
block drop log quick inet proto udp from any to any port = 0 label "Block traffic to port 0"
block drop log quick inet6 proto tcp from any port = 0 to any label "Block traffic from port 0"
block drop log quick inet6 proto udp from any port = 0 to any label "Block traffic from port 0"
block drop log quick inet6 proto tcp from any to any port = 0 label "Block traffic to port 0"
block drop log quick inet6 proto udp from any to any port = 0 label "Block traffic to port 0"
block drop log quick from <snort2c> to any label "Block snort2c hosts"
block drop log quick from any to <snort2c> label "Block snort2c hosts"
block drop in log quick proto tcp from <sshlockout> to (self) port = ssh label "sshlockout"
block drop in log quick proto tcp from <webConfiguratorlockout> to (self) port = http label "webConfiguratorlockout"
block drop in log quick from <virusprot> to any label "virusprot overload table"
block drop in log quick on hn0 from <bogons> to any label "block bogon IPv4 networks from WAN"
block drop in log quick on hn0 from <bogonsv6> to any label "block bogon IPv6 networks from WAN"
block drop in log on ! hn0 inet from 138.201.100.136/29 to any
block drop in log inet from 138.201.100.138 to any
block drop in log on hn0 inet6 from fe80::250:56ff:fe00:9610 to any
block drop in log quick on hn0 inet from 10.0.0.0/8 to any label "Block private networks from WAN block 10/8"
block drop in log quick on hn0 inet from 127.0.0.0/8 to any label "Block private networks from WAN block 127/8"
block drop in log quick on hn0 inet from 172.16.0.0/12 to any label "Block private networks from WAN block 172.16/12"
block drop in log quick on hn0 inet from 192.168.0.0/16 to any label "Block private networks from WAN block 192.168/16"
block drop in log quick on hn0 inet6 from fc00::/7 to any label "Block ULA networks from WAN block fc00::/7"
block drop in log on ! hn1 inet from 192.168.1.0/24 to any
block drop in log inet from 192.168.1.1 to any
block drop in log on hn1 inet6 from fe80::215:5dff:fe44:e204 to any
pass in quick on hn1 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
pass in quick on hn1 inet proto udp from any port = bootpc to 192.168.1.1 port = bootps keep state label "allow access to DHCP server"
pass out quick on hn1 inet proto udp from 192.168.1.1 port = bootps to any port = bootpc keep state label "allow access to DHCP server"
block drop in log on ! hn2 inet from 192.168.2.0/24 to any
block drop in log inet from 192.168.2.1 to any
block drop in log on hn2 inet6 from fe80::215:5dff:fe44:e207 to any
block drop in log on ! hn3 inet from 148.251.68.192/27 to any
block drop in log inet from 148.251.68.211 to any
block drop in log on hn3 inet6 from fe80::250:56ff:fe00:5afd to any
pass in on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
pass out on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
pass in on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
pass out on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
pass out inet all flags S/SA keep state allow-opts label "let out anything IPv4 from firewall host itself"
pass out inet6 all flags S/SA keep state allow-opts label "let out anything IPv6 from firewall host itself"
pass out route-to (hn0 138.201.100.137) inet from 138.201.100.138 to ! 138.201.100.136/29 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
pass out route-to (hn3 148.251.68.193) inet from 148.251.68.211 to ! 148.251.68.192/27 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
pass in quick on hn1 proto tcp from any to (hn1) port = http flags S/SA keep state label "anti-lockout rule"
pass in inet all flags S/SA keep state label "NAT REFLECT: Allow traffic to localhost" tagged PFREFLECT
anchor "userrules/*" all
pass in quick on hn0 reply-to (hn0 138.201.100.137) inet proto tcp from any to 192.168.1.100 port = rdp flags S/SA keep state label "USER_RULE: NAT RDP MSSQL "
pass in quick on hn0 reply-to (hn0 138.201.100.137) inet proto tcp from any to 192.168.1.101 port = rdp flags S/SA keep state label "USER_RULE: NAT RDP ICShipBrokers"
pass in quick on hn0 reply-to (hn0 138.201.100.137) inet proto tcp from any to 192.168.1.100 port = smtp flags S/SA keep state label "USER_RULE: NAT SMTP MSSQL "
pass in quick on hn0 reply-to (hn0 138.201.100.137) inet proto tcp from any to 192.168.1.100 port = 8093 flags S/SA keep state label "USER_RULE: NAT APP ICShipBrokers MSSQL "
pass in quick on hn0 reply-to (hn0 138.201.100.137) inet proto tcp from any to 192.168.1.100 port = pop3s flags S/SA keep state label "USER_RULE: NAT Forsa MSSQL "
pass in quick on hn1 inet from 192.168.1.0/24 to <negate_networks> flags S/SA keep state label "NEGATE_ROUTE: Negate policy routing for destination"
pass in quick on hn1 route-to (hn0 138.201.100.137) inet from 192.168.1.0/24 to any flags S/SA keep state label "USER_RULE: Default allow LAN to any rule"
pass in quick on hn2 inet from 192.168.2.0/24 to <negate_networks> flags S/SA keep state label "NEGATE_ROUTE: Negate policy routing for destination"
pass in quick on hn2 route-to (hn3 148.251.68.193) inet from 192.168.2.0/24 to any flags S/SA keep state label "USER_RULE: Default allow LAN to any rule"
pass in quick on hn3 reply-to (hn3 148.251.68.193) inet proto tcp from any to 192.168.2.100 port = smtp flags S/SA keep state label "USER_RULE: NAT SMTP2 MSSQL "
anchor "tftp-proxy/*" all