scrub on rl1 all fragment reassemble
scrub on rl0.107 all fragment reassemble
scrub on rl0.2 all fragment reassemble
scrub on rl0.101 all fragment reassemble
scrub on rl0.102 all fragment reassemble
scrub on rl0.103 all fragment reassemble
scrub on rl0.104 all fragment reassemble
scrub on rl0.105 all fragment reassemble
scrub on rl0.106 all fragment reassemble
scrub on rl0.108 all fragment reassemble
scrub on rl0.109 all fragment reassemble
scrub on rl0.110 all fragment reassemble
anchor "relayd/*" all
anchor "openvpn/*" all
anchor "ipsec/*" all
block drop in log quick inet from 169.254.0.0/16 to any label "Block IPv4 link-local"
block drop in log quick inet from any to 169.254.0.0/16 label "Block IPv4 link-local"
block drop in log inet all label "Default deny rule IPv4"
block drop out log inet all label "Default deny rule IPv4"
block drop in log inet6 all label "Default deny rule IPv6"
block drop out log inet6 all label "Default deny rule IPv6"
pass quick inet6 proto ipv6-icmp all icmp6-type unreach keep state
pass quick inet6 proto ipv6-icmp all icmp6-type toobig keep state
pass quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state
pass quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echorep keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echorep keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type echoreq keep state
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routersol keep state
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routeradv keep state
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbrsol keep state
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbradv keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echoreq keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state
pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type echoreq keep state
pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type routersol keep state
pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type routeradv keep state
pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type neighbrsol keep state
pass in quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type neighbradv keep state
block drop log quick inet proto tcp from any port = 0 to any label "Block traffic from port 0"
block drop log quick inet proto udp from any port = 0 to any label "Block traffic from port 0"
block drop log quick inet proto tcp from any to any port = 0 label "Block traffic to port 0"
block drop log quick inet proto udp from any to any port = 0 label "Block traffic to port 0"
block drop log quick inet6 proto tcp from any port = 0 to any label "Block traffic from port 0"
block drop log quick inet6 proto udp from any port = 0 to any label "Block traffic from port 0"
block drop log quick inet6 proto tcp from any to any port = 0 label "Block traffic to port 0"
block drop log quick inet6 proto udp from any to any port = 0 label "Block traffic to port 0"
block drop log quick from <snort2c> to any label "Block snort2c hosts"
block drop log quick from any to <snort2c> label "Block snort2c hosts"
block drop in log quick proto tcp from <sshguard> to (self) port = ssh label "sshguard"
block drop in log quick proto tcp from <sshguard> to (self) port = https label "GUI Lockout"
block drop in log quick from <virusprot> to any label "virusprot overload table"
block drop in log on ! rl1 inet from 192.168.1.0/24 to any
block drop in log inet from 192.168.1.205 to any
block drop in log on rl1 inet6 from fe80::2e0:53ff:fe0b:10dd to any
block drop in log on ! rl0.107 inet from 10.0.107.0/24 to any
block drop in log inet from 10.0.107.254 to any
block drop in log on rl0.107 inet6 from fe80::9ed6:43ff:fe63:b813 to any
pass quick on rl0.107 inet6 proto udp from fe80::/10 to fe80::/10 port = dhcpv6-client keep state label "allow access to DHCPv6 server"
pass quick on rl0.107 inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-client keep state label "allow access to DHCPv6 server"
pass quick on rl0.107 inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-server keep state label "allow access to DHCPv6 server"
pass quick on rl0.107 inet6 proto udp from ff02::/16 to fe80::/10 port = dhcpv6-server keep state label "allow access to DHCPv6 server"
block drop in log on ! rl0.110 inet from 192.168.0.0/24 to any
block drop in log inet from 192.168.0.254 to any
block drop in log on rl0.110 inet6 from fe80::9ed6:43ff:fe63:b813 to any
pass in on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
pass out on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
pass in on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
pass out on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
pass out inet all flags S/SA keep state allow-opts label "let out anything IPv4 from firewall host itself"
pass out inet6 all flags S/SA keep state allow-opts label "let out anything IPv6 from firewall host itself"
pass out route-to (rl1 192.168.1.1) inet from 192.168.1.205 to ! 192.168.1.0/24 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
pass in quick on rl0.107 proto tcp from any to (rl0.107) port = https flags S/SA keep state label "anti-lockout rule"
pass in quick on rl0.107 proto tcp from any to (rl0.107) port = http flags S/SA keep state label "anti-lockout rule"
pass in quick on rl0.107 proto tcp from any to (rl0.107) port = ssh flags S/SA keep state label "anti-lockout rule"
anchor "userrules/*" all
block drop on rl1 inet6 proto ipv6 all label "USER_RULE: block ipv6"
block drop on rl0.107 inet6 proto ipv6 all label "USER_RULE: block ipv6"
block drop on rl0.2 inet6 proto ipv6 all label "USER_RULE: block ipv6"
block drop on rl0.101 inet6 proto ipv6 all label "USER_RULE: block ipv6"
block drop on rl0.102 inet6 proto ipv6 all label "USER_RULE: block ipv6"
block drop on rl0.103 inet6 proto ipv6 all label "USER_RULE: block ipv6"
block drop on rl0.104 inet6 proto ipv6 all label "USER_RULE: block ipv6"
block drop on rl0.105 inet6 proto ipv6 all label "USER_RULE: block ipv6"
block drop on rl0.106 inet6 proto ipv6 all label "USER_RULE: block ipv6"
block drop on rl0.108 inet6 proto ipv6 all label "USER_RULE: block ipv6"
block drop on rl0.109 inet6 proto ipv6 all label "USER_RULE: block ipv6"
block drop on rl0.110 inet6 proto ipv6 all label "USER_RULE: block ipv6"
pass in quick on pppoe inet all flags S/SA keep state label "USER_RULE"
pass in quick on rl0.107 inet proto tcp from any to 10.0.107.254 port = 7445 flags S/SA keep state label "USER_RULE"
block return in quick on rl0.107 inet all label "USER_RULE"
block return in quick on rl0.107 inet6 all label "USER_RULE"
block return in log quick on rl0.110 inet proto tcp from ! 192.168.0.0/24 to any label "USER_RULE"
block return in log quick on rl0.110 inet proto udp from ! 192.168.0.0/24 to any label "USER_RULE"
pass in quick on rl0.110 inet from any to 192.168.0.0/24 flags S/SA keep state label "USER_RULE"
pass in quick on rl0.110 inet from 192.168.0.0/24 to any flags S/SA keep state label "USER_RULE"
anchor "tftp-proxy/*" all
pass in quick on rl0.107 proto tcp from any to (rl0.107) port = 3128 flags S/SA keep state
pass in quick on rl0.2 proto tcp from any to (rl0.2) port = 3128 flags S/SA keep state
pass in quick on rl0.109 proto tcp from any to (rl0.109) port = 3128 flags S/SA keep state
pass in quick on rl0.110 proto tcp from any to (rl0.110) port = 3128 flags S/SA keep state
pass in quick on rl0.101 proto tcp from any to (rl0.101) port = 3128 flags S/SA keep state
pass in quick on rl0.102 proto tcp from any to (rl0.102) port = 3128 flags S/SA keep state
pass in quick on rl0.103 proto tcp from any to (rl0.103) port = 3128 flags S/SA keep state
pass in quick on rl0.104 proto tcp from any to (rl0.104) port = 3128 flags S/SA keep state
pass in quick on rl0.105 proto tcp from any to (rl0.105) port = 3128 flags S/SA keep state
pass in quick on rl0.106 proto tcp from any to (rl0.106) port = 3128 flags S/SA keep state
pass in quick on rl0.108 proto tcp from any to (rl0.108) port = 3128 flags S/SA keep state
pass in quick on rl0.107 proto tcp from any to (rl0.107) port = 3129 flags S/SA keep state
pass in quick on rl0.2 proto tcp from any to (rl0.2) port = 3129 flags S/SA keep state
pass in quick on rl0.109 proto tcp from any to (rl0.109) port = 3129 flags S/SA keep state
pass in quick on rl0.110 proto tcp from any to (rl0.110) port = 3129 flags S/SA keep state
pass in quick on rl0.101 proto tcp from any to (rl0.101) port = 3129 flags S/SA keep state
pass in quick on rl0.102 proto tcp from any to (rl0.102) port = 3129 flags S/SA keep state
pass in quick on rl0.103 proto tcp from any to (rl0.103) port = 3129 flags S/SA keep state
pass in quick on rl0.104 proto tcp from any to (rl0.104) port = 3129 flags S/SA keep state
pass in quick on rl0.105 proto tcp from any to (rl0.105) port = 3129 flags S/SA keep state
pass in quick on rl0.106 proto tcp from any to (rl0.106) port = 3129 flags S/SA keep state
pass in quick on rl0.108 proto tcp from any to (rl0.108) port = 3129 flags S/SA keep state