$(if [ -n "${pf_egress_interfaces:-}" ]; then
    printf 'egress = "{ %s }"\n' "$(join ', ' $pf_egress_interfaces)"
  else
    printf 'egress = "%s"\n' "$BOXCONF_DEFAULT_INTERFACE"
  fi)
allowed_tcp_ports = "{ $(join ', ' ${allowed_tcp_ports:-}) }"
allowed_udp_ports = "{ $(join ', ' ${allowed_udp_ports:-}) }"

$([ "${acme_standalone:-}" = true ] && cat <<EOF
acme_standalone_port = ${acme_standalone_port}
acme_standalone_user = $(id -u "$acme_user")
EOF
)
nfscbd_port = ${nfscbd_port}

set block-policy return
set skip on lo
$([ -n "${pf_skip_interfaces:-}" ] && printf \
  'set skip on %s\n' $pf_skip_interfaces)

scrub in on \$egress all fragment reassemble

$([ "${acme_standalone:-}" = true ] && echo \
  'rdr on $egress inet proto tcp to port http -> ($egress) port $acme_standalone_port'

[ -n "${redirect_tcp_ports:-}" ] && printf \
  'rdr on $egress inet proto tcp to port %s -> ($egress) port %s\n' $redirect_tcp_ports

[ -n "${redirect_udp_ports:-}" ] && printf \
  'rdr on $egress inet proto udp to port %s -> ($egress) port %s\n' $redirect_udp_ports)

antispoof quick for \$egress

block all
pass out quick on \$egress inet
pass in quick on \$egress inet proto icmp all icmp-type { echoreq, unreach }

$([ "${acme_standalone:-}" = true ] && echo \
  'pass in quick on $egress inet proto tcp to port $acme_standalone_port user $acme_standalone_user'

[ -n "${allowed_tcp_ports:-}" ] && echo \
  'pass in quick on $egress inet proto tcp to port $allowed_tcp_ports'

[ -n "${allowed_udp_ports:-}" ] && echo \
  'pass in quick on $egress inet proto udp to port $allowed_udp_ports'

[ "$BOXCONF_VIRTUALIZATION_TYPE" == jail ] || echo \
  'pass in quick on $egress inet proto { tcp, udp } to port $nfscbd_port'

for user in ${syncthing_users:-}; do uid=$(id -u "$user"); eval "port=\$syncthing_${user}_port"; printf \
  'pass in quick on $egress inet proto { tcp, udp } to port %s user %s\n' "$port" "$(id -u "$user")"
done)