I have arrived at a pf.conf that works in my test environment. It has a couple port forwarding redirects that I won't include here because they are internal business. But this works for FTP from inside the firewall to the 'net, it allows MS SQL Server tcp client access to db servers outside the firewall from inside, and it allows a selection of tcp/ip ports to be passed.
I post it because I hope that another clueless newb who googles to this thread will find it useful.
Code:
# Macros:
ext_if="rl0"
int_if="rl1"
localnet=$int_if:network
outsidenet=$ext_if:network
tcp_services="{ www, https, ftp, ftp-data, ssh, sftp, ntp, pop3, smtp, ms-sql-s, 4022 }"
tcp_dev_services="{ 81 }"
udp_services="{ domain, ntp, dhcpd-sync, ms-sql-m }"
proxy="127.0.0.1"
netbios_services="{ netbios-ns, netbios-dgm, netbios-ssn }"
icmp_types="{ echoreq, unreach }"
# Tables:
table <developers> persist file "/etc/developers"
# begin settings
set block-policy drop
set skip on lo
antispoof quick for $ext_if
block log all
# This is the NAT line:
match out on $ext_if from $localnet nat-to ($ext_if)
# block incoming traffic
block in log on $ext_if all
# FTP Proxy rules:
pass in quick on $int_if proto tcp to port 21 rdr-to $proxy port 8021
anchor "ftp-proxy/*"
# begin granular rules
pass inet proto tcp from self
# allow sh to come in from "outside":
pass in quick proto tcp to $ext_if port { ssh }
# list of acceptable services:
pass inet proto tcp from $localnet to port $tcp_services
# needed for SQL Server tcp/ip access:
pass inet proto udp from $localnet to port ms-sql-m
# UDP and ICMP rules:
pass inet proto { tcp, udp } to port $udp_services keep state
pass inet proto icmp all icmp-type $icmp_types