default_device = "en99"

set block-policy drop
set skip on lo0

# block all traffic on default device
block out on $default_device all

# allow traffic to gateways
pass out on $default_device to <bitmask_gateways>

# allow traffic to local networks over the default device
pass out on $default_device to $default_device:network

# block all DNS, except to the gateways
block out proto udp to any port 53
pass out proto udp to <bitmask_gateways> port 53