diff --git a/firewall/templates/pf.conf.erb b/firewall/templates/pf.conf.erb
index 71acd23..f99a46b 100644
--- a/firewall/templates/pf.conf.erb
+++ b/firewall/templates/pf.conf.erb
@@ -1,12 +1,9 @@
-# options
 set block-policy return
 set skip on lo0
 
-# scrub
-scrub in all no-df
-
-# filter rules
-block all
+match in all scrub (no-df)
+block in all
+pass out all
 
 pass in quick inet proto icmp all
 pass in quick inet6 proto icmp6 all
@@ -18,5 +15,3 @@ pass in quick proto <%= rule[1] %><% if rule[3] %> from<%= rule[3] %><% end %> t
 <% firewall_custom.each do |rule| -%>
 <%= rule %>
 <% end -%>
-
-pass out quick all