##   OpenBSD: pf.conf
##  See pf.conf(5) and /usr/share/pf for syntax and examples.
##  Macros: define network interfaces, so they can be changed easily.

ext_if=           "rl0"
int_if=            "fxp0"
internal_net= "192.168.0.0/24"
gwa=              "192.168.245.2"
neta=              "192.168.0.0/24"

## Tables: similar to macros, but more flexible for many addresses. ##
     table <banned> persist

## Reassemble fragments and resolve or reduce traffic ambiguities. ##
     scrub in all fragment reassemble

## Translation: specify how addresses are to be mapped or redirected. ##
     nat on $ext_if from $internal_net to any -> $ext_if

## rdr outgoing FTP requests to the ftp-proxy ##
     rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021

## Block and log ##
     block drop   in  log quick on { $int_if, $ext_if } from <banned> to any
     block drop out log quick on  { $int_if, $ext_if } from any to <banned>

## Pass all legitimate traffic ##
     pass in proto tcp from any to any port ssh modulate state
     pass in on $ext_if proto udp from any to $ext_if port { 53, 500 } keep state
     pass out on $ext_if proto { tcp, udp } all keep state

############################################
## Pass all VPN traffic

     pass   in log on $ext_if proto esp from any to $gwa
     pass out log on $ext_if proto esp from $gwa to any
     pass   in quick on $int_if from $neta to any
     pass out quick on $int_if from any to $neta
     pass   in on enc0
     pass out on enc0

############################################
# pass incoming ports for ftp-proxy
     pass   in on $ext_if inet proto tcp from any to $ext_if user proxy modulate state