In the following snippet, the match rule dictates that every packet passing out through the external or egress interface will undergo Network Address Translation.
Code:
match out inet from ! (egress) to any nat-to (egress)
block log all
pass out quick on egress inet proto udp from any to any port = 53
pass out quick on egress inet proto tcp from any to any port = 53
pass out quick on egress inet proto tcp from any to any port = 80
Because I have I
block log all policy, I need pass rules to actually allow selected types of packets to go out.
Once they are are allowed to pass, the match rule kicks in and does the NAT.
BTW have you seen
http://www.openbsd.org/faq/pf/nat.html ?