# Block all traffic by default, until overriden below
block

# Always block direct connections to Tor's proxies to enforce whitelist
block return out quick on lo0 proto tcp to port 9040
block return out quick on lo0 proto udp to port 9053

# Always allow loopback traffic (bypassing the rest of the ruleset),
# except for DNS to allow redirecting localhost DNS lookups to Tor's DNS
# Non-redirected localhost DNS lookups are blocked by default
match out on lo0 proto { tcp udp } to port domain tag "LOCALDNS"
pass quick on lo0 !tagged "LOCALDNS"

# Allow IPv6 LAN control messages
pass inet6 proto icmp6 to { ff02::/16 fe80::/10 }
pass in inet6 proto icmp6 from fe80::/10 icmp6-type redir

# Proxy TCP traffic through Tor
match out proto tcp user $tor_users tag "TCP"
pass out inet route-to 127.0.0.2 tagged "TCP"
pass out inet6 route-to 2001:db8::1 tagged "TCP"
pass in on lo1 inet proto tcp divert-to 127.0.0.1 port 9040
pass in on lo1 inet6 proto tcp divert-to ::1 port 9040

# Proxy DNS traffic through Tor
match out proto udp to port domain user $tor_users tag "DNS"
pass out inet rdr-to 127.0.0.1 port 9053 tagged "DNS"
pass out inet6 rdr-to ::1 port 9053 tagged "DNS"

# Allow tor(1) traffic
pass out proto tcp user _tor

# Allow ntpd(8) time synchronization
pass out proto { tcp udp } to port { ntp domain } user _ntp
pass out proto tcp to port https user _ntp

# Allow unwind(8) DNS lookups
pass out proto { tcp udp } to port { domain domain-s } user _unwind