Stuff

ext_if="em0";
vpn_if="tun0";

set skip on lo;
scrub in;

nat on $ext_if from !($ext_if) -> ($ext_if);

block in log

pass out keep state
pass in on $vpn_if keep state
pass in on $ext_if proto udp to ($ext_if) port 80
pass out proto icmp keep state
pass in proto icmp keep state
pass in on $ext_if proto tcp to ($ext_if) port ssh