This is the pf.conf I am using on my OpenBSD firewall.Although it does not match your specifications exactly , it will give you a start.
Code:
# pf.conf for UPC
services = "{ imaps, pop3, pop3s, domain, submission, www, cddb, 8080, https, \
whois, ssh, telnet, rsync, ftp, 5999, 6667, 1022, 5050 }"
set skip on lo0
# ---- external/egress interface
match out inet from ! egress to any nat-to (egress)
# --- anchor for misc purposes, like temporarily allowing outgoing ftp from firewall itself
anchor 'TMP'
# --- allow outgoing TCP
pass out quick on egress inet proto tcp from any to any port $services label "$nr:$proto:$dstport"
pass out quick log on egress inet proto tcp from any to any port smtp label "$nr:$proto:SMTP"
# --- ftp-proxy tags the ftp data connection packets. See /etc/rc.conf.local
#
pass out quick on egress inet tagged FTP_DATA label "$nr:$proto:FTP_DATA"
# --- allow outgoing UDP
pass out quick on egress inet proto udp from any to any port domain keep state label "$nr:$proto:DOMAIN"
pass out quick on egress inet proto udp from any to any port ntp keep state label "$nr:$proto:NTP"
# --- allow outgoing ICMP
# ping and 'traceroute -P icmp'
pass out quick on egress inet proto icmp from any to any icmp-type echoreq keep state label "$nr:$proto:ICMP"
# ---- internal network interface
anchor "ftp-proxy/*"
pass in quick on internal inet proto tcp to port ftp divert-to 127.0.0.1 port 8021
pass quick on internal inet
# ---- default block
block log all label BLOCKED
The
/etc/hostname.* files:
Code:
# cat /etc/hostname.xl0
dhcp
# cat /etc/hostname.xl1
inet 192.168.222.10 255.255.255.0 NONE group internal
inet alias 192.168.222.11 255.255.255.255
The ftp proxy stuff and the enabling of forwarding/routing of IPv4:
Code:
# grep ftp /etc/rc.conf.local
ftpproxy_flags="-T FTP_DATA"
# grep forward /etc/sysctl.conf
net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of IPv4 packets
net.inet.ip.mforwarding=1 # 1=Permit forwarding (routing) of IPv4 multicast packets