set block-policy return
set skip on lo0

match in all scrub (no-df)
block in all
pass out all

pass in quick inet proto icmp all
pass in quick inet6 proto icmp6 all

<% @firewall_rules.each do |rule| -%>
<%   rule = /(tcp|udp)\/([\d:]+)( .+)?/.match(rule) -%>
pass in quick proto <%= rule[1] %><% if rule[3] %> from<%= rule[3] %><% end %> to port <%= rule[2] %>
<% end -%>
<% @firewall_custom.each do |rule| -%>
<%= rule %>
<% end -%>