dns_server=9.9.9.9
set skip on lo
set skip on re0
block drop log all
pass out on egress
match out on egress from 100.64.0.0/10 to any nat-to (egress)
pass in from 100.64.0.0/10 to any
pass in proto { udp tcp } from 100.64.0.0/10 to any port domain \
        rdr-to $dns_server port domain
pass quick proto tcp from any to egress port ssh flags S/SA keep state