For the rest of the confused folks reading this who didn't know, my problem was not the table. I put the IP Addresses into a Macro and tried to refer to it, the rule still didn't work, so then I put the addresses literally into the rule and it still didn't work.
Eventually I figured out at least this riddle. This pf.conf works with my table, defined in the file /etc/developers:
Code:
ext_if="rl0"
int_if="rl1"
localnet=$int_if:network
outsidenet=$ext_if:network
tcp_services="{ www, https, sftp, ntp, pop3, smtp, ms-sql-s }"
tcp_dev_services="{ 81 }"
udp_services="{ domain, ntp, dhcpd-sync }"
proxy="127.0.0.1"
netbios_services="{ netbios-ns, netbios-dgm, netbios-ssn }"
icmp_types="{ echoreq, unreach }"
table <developers> persist file "/etc/developers"
# begin settings
set block-policy drop
set skip on lo
antispoof quick for $ext_if
block all
# This is the NAT line:
match out on $ext_if from $localnet nat-to ($ext_if)
# begin granular rules
block in log on $ext_if all
# allow sh to come in from "outside"
pass in quick proto tcp to $ext_if port { ssh }
pass inet proto { tcp, udp } to port $udp_services keep state
pass inet proto icmp all icmp-type $icmp_types
pass inet proto tcp from $localnet to port $tcp_services
pass inet proto tcp from <developers> to port $tcp_dev_services
pass inet proto tcp from self
The final line, pass inet proto tcp from self, which should allow localhost to talk to any port on either side of the box, seems to be the enabler.
Just a bit more information for people like me who are still trying to figure this out. I'll post everything else I learn even if nobody else participates in this thread.