# options
set block-policy return
set skip on lo0

# scrub
scrub in all no-df

# filter rules
block all

pass in quick inet proto icmp all
pass in quick inet6 proto icmp6 all

<% firewall_rules.each do |rule| -%>
<%   rule = /(tcp|udp)\/(\d+)( .+)?/.match(rule) -%>
pass in quick proto <%= rule[1] %><% if rule[3] %> from<%= rule[3] %><% end %> to port <%= rule[2] %>
<% end -%>
<% firewall_custom.each do |rule| -%>
<%= rule %>
<% end -%>

pass out quick all