Sanitized pf.conf
Code:
ext_if="em0"
int_if="em2"
testing_pub_ip = "50.x.x.a"
sync_pub_ip = "50.x.x.b"
netfs = "192.168.0.152"
workstation = "192.168.0.191"
icmp_types = "{ echoreq, unreach }"
pass inet proto icmp all icmp-type $icmp_types
set block-policy drop
set loginterface egress
set limit { states 1000000, src-nodes 100000, tables 1000000, table-entries 1000000 }
set skip on lo0
match in log all scrub (no-df)
# NAT
match out log on egress inet from !(egress:network) to any nat-to (egress:0)
antispoof quick for egress
block in log quick on egress from urpf-failed
block in log quick from no-route to any
# No IPv6 please
block in quick inet6 all
block out quick inet6 all
block in log all
# Let your traffic go through to the internet
pass out log quick inet keep state
# Allow all LAN traffic
pass in log on { $int_if }
pass in log on egress inet proto { tcp, udp } to $testing_pub_ip port { ssh } rdr-to $workstation
pass in log on egress inet proto { tcp, udp } to $sync_pub_ip port { ssh } rdr-to $netfs