a pf.conf I built for a customer

# First declare a couple of variables for use throughout this file EXTusr1 = "172.16.15.231" EXTusr2 = "172.31.200.8" EXTusr3 = "172.27.22.22" # Please check Server1:/etc/rc.local INTusr1 = "192.168.2.6" INTusr2 = "192.168.2.7" Int_IP = "192.168.2.8" Server1 = "192.168.2.9" intNET = "192.168.2.0/24" extIF = "rl0" intIF = "xl0" VNC = "5900" # Normalize: reassemble fragments and resolve or reduce traffic ambiguities scrub in all #### NAT and RDR rules #### # We will translate all packets going out rl0 coming from 192.168.2.0/24 # to the address of the rl0 interface. nat on $extIF from $intNET to any -> $extIF # Port forwardings for John, Pete and Nancy rdr on $extIF proto tcp from $EXTusr1 to $extIF port www -> $INTusr1 port www rdr on $extIF proto tcp from $EXTusr2 to $extIF port $VNC -> $INTusr2 port $VNC rdr on $extIF proto tcp from $EXTusr3 to $extIF port ssh -> $Server1 port ssh rdr on $extIF proto tcp from $EXTusr3 to $extIF port www -> $Int_IP port www #### filter rules #### # Let's just trust localhost (we run OpenBSD for a reason) pass in quick on lo0 from any to lo0 pass out quick on lo0 from any to lo0 # By default, we will block everyone entering our system over the internet block in log on $extIF all pass out on $extIF proto { tcp, udp, icmp } all keep state # We will also do antispoof on all interfaces antispoof for $extIF antispoof for $intIF # This should be a mailserver, so accept connections to port 25 pass in on $extIF proto tcp from any to $extIF port smtp keep state pass in on $intIF proto tcp from $intNET to $intIF port smtp keep state # POP3S mail... (this is actually normal pop3 guarded by an stunnel) pass in proto tcp from any to any port pop3s keep state pass in on $intIF proto tcp from $intNET to any port pop3 keep state # Accept incoming ssh connections from Johns and Petes home system pass in on $extIF proto tcp from $EXTusr1 to $extIF port ssh keep state pass in on $extIF proto tcp from $EXTusr2 to $extIF port ssh keep state # Pass connections that get forwarded by the RDR rules pass in on $extIF proto tcp from $EXTusr1 to $INTusr1 port www keep state pass in on $extIF proto tcp from $EXTusr2 to $INTusr2 port $VNC keep state pass in on $extIF proto tcp from $EXTusr3 to $Server1 port ssh keep state pass in on $extIF proto tcp from $EXTusr3 to $Int_IP port www keep state # Reject ident lookups with a TCP reset (for mail retrieval and delivery) block return-rst in on $extIF inet proto tcp from any to $extIF port auth

Please note that all IP's and names have been altered to protect the innocent ;)