utunInterfaces = "{                                                                         \
    utun0, utun1, utun2, utun3, utun4, utun5, utun6, utun7, utun8, utun9,   utun10,         \
    utun11, utun12, utun13, utun14, utun15, utun16, utun17, utun18, utun19, utun20,         \
    utun21, utun22, utun23, utun24, utun25, utun26, utun27, utun28, utun29, utun30          \
}"

hnsdGroup=amnhnsd

# Block everything from handshake group
# Without this initial block hnsd traffic could possibly travel outside the tunnel (we don't trust the routing table)
block return out group $hnsdGroup flags any no state

# Next, poke a hole in this block but only for traffic on the tunnel (port 13038 is the handshake control port)
pass out on $utunInterfaces proto { tcp, udp } to port { 53, 13038 } group $hnsdGroup flags any no state