dns_server=9.9.9.9
set skip on lo
set skip on re0
block drop log all
pass out on egress
pass in on tap
match out on egress from 100.64.0.0/10 to any nat-to (egress)
pass in proto { udp tcp } from 100.64.0.0/10 to any port domain \
        rdr-to $dns_server port domain
pass proto tcp from any to egress port ssh