Change your /etc/pf.conf per the
BLUE and
RED config fragments. Be careful about OBSERVING the very subtle changes (e.g. no "pass" in the rdr) and differences in keyword spellings (e.g. tag and tagged)
restart pf...
Code:
pfctl -F all -vvf pf.conf
Re-test and advise -- with ACTUAL paste of whole pf.conf. Including
Code:
tcpdump -eni pflog0
would help us help you.
Code:
ext_if="em0"
int_if="re0"
wifi_if="ral0"
local_net="{192.168.0.1/24, 192.168.1.1/24}"
server="{ 192.168.0.10/32 }"
icmp_types="echoreq"
tcp_flags="flags S/SA keep state"
table <abusers> persist
set require-order no
set skip on lo
scrub in all
nat on $ext_if from !($ext_if) -> ($ext_if:0)
# ---- start group -----
rdr on $ext_if inet proto { tcp udp } \
from any to ($ext_if:0) port 80 tag MyWWW -> $server port 80
#
pass in log quick on $ext_if inet proto {tcp udp} \
tagged MyWWW flags S/SA modulate state
#
pass out log quick on $int_if inet proto {tcp udp} \
tagged MyWWW keep state
# ----- end group -----
block drop log all
block in log quick from <abusers>
pass out log on $ext_if proto tcp from any to any flags S/SA
pass out log on $ext_if proto { udp,icmp } from any to any
pass in log quick inet proto icmp all icmp-type $icmp_types
pass in log quick on $wifi_if proto tcp to ($wifi_if) port ssh $tcp_flags (max-src-conn 8, max-src-conn-rate 15/5, overload <abusers> flush global)
pass quick on { lo, $int_if, $wifi_if } # I don't write rules this way.
# antispoof quick for { lo, $int_if, $ext_if, $wifi_if } # comment out for test purposes