--- /etc/rc.d/pf.orig	2021-06-04 09:34:27.251413000 +0000
+++ /etc/rc.d/pf	2021-06-10 19:55:28.346618000 +0000
@@ -29,7 +29,21 @@
 {
 	check_startmsgs && echo -n 'Enabling pf'
 	$pf_program -F all > /dev/null 2>&1
-	$pf_program -f "$pf_rules" $pf_flags
+	if ! $pf_program -f "$pf_rules" $pf_flags ; then
+		if checkyesno pf_default_rules_enable; then
+			warn "Unable to load $pf_rules and pf_default_rules_enable is set to YES."
+			if [ -f $pf_default_rules_file ]; then
+				warn "Loading pf_default_rules_file: $pf_default_rules_file"
+				$pf_program -f $pf_default_rules_file $pf_flags
+			else
+				warn "pf_default_rules_file $pf_default_rules_file not found, looading pf_default_rules: $pf_default_rules"
+				echo -e $pf_default_rules | $pf_program -f - $pf_flags
+			fi
+		else
+			warn "Unable to load $pf_rules and pf_default_rules_enable is NO."
+			warn "No pf rules are loaded, this means all traffic is permitted."
+		fi
+	fi
 	if ! $pf_program -s info | grep -q "Enabled" ; then
 		$pf_program -eq
 	fi
--- /etc/defaults/rc.conf.orig	2021-06-04 09:34:41.986350000 +0000
+++ /etc/defaults/rc.conf	2021-06-10 16:56:50.592526000 +0000
@@ -219,6 +219,10 @@
 				# by default)
 pf_program="/sbin/pfctl"	# where the pfctl program lives
 pf_flags=""			# additional flags for pfctl
+pf_default_rules_enable="NO"	# fallback to $pf_default_rules if loading ruleset fails
+pf_default_rules="block drop log all"	# block and drop everything if loading pf ruleset fails
+#pf_default_rules="block drop log all\npass quick on em4"	# sample with multiple rules
+pf_default_rules_file="/etc/pf-default.conf"	# use this file if it exists and loading the primary fails
 pflog_enable="NO"		# Set to YES to enable packet filter logging
 pflog_logfile="/var/log/pflog"	# where pflogd should store the logfile
 pflog_program="/sbin/pflogd"	# where the pflogd program lives