wan = em0
lan = stge0

#----------------------------------
# Defaults
#----------------------------------
pass out keep state

set skip on lo
set block-policy return
set reassemble yes

block in all
block return

match in on $wan scrub (no-df max-mss 1440)
match out on $wan scrub (random-id)

antispoof quick for { $wan lo0 }

#----------------------------------
# Input
#----------------------------------
pass quick on $lan
pass in quick proto tcp to $wan port 22 keep state
pass in quick on $lan

#----------------------------------
# Output
#----------------------------------
pass out on $lan inet keep state

#----------------------------------
# NAT
#----------------------------------
match out on $wan from !($wan) nat-to ($wan)

# Allow outgoing traffic for LAN and the gateway
pass out quick keep state
pass in on { $lan } inet