after I read openbsd site documents about NAT in PF , I understand , if I want my pf.conf work good in OpenBSD 5 . I must change it and I make this new pf.conf
Code:
############################### MACROS ############################################################
ext_if = "sk0"
int_if = "re0"
External_net = "10.10.10.192/27"
Local_net = "192.168.0.0/24"
Local_Web = "192.168.0.10"
Local_Srv = "192.168.0.1"
Prtcol = "{ tcp, udp }"
Admin_IP = "{ 10.10.10.192/27, 11.11.11.0/21, 12.12.12.0/18 }"
ICMP_Types = "{ echorep, unreach, squench, echoreq, timex }"
#Define ports for common internet services
#TCP_SRV = "{ 25, 53, 80, 110, 143, 443, 465, 587, 993, 995, 8443 }"
#UDP_SRV = "{ 53 }"
TCP_SRV = "{ 80, 443 }"
UDP_SRV = "{ }"
Samba_TCP = "{ 139, 445 }"
Samba_UDP = "{ 137, 138 }"
SERVER = "10.10.10.200"
NAT1 = "10.10.10.194"
NAT2 = "10.10.10.195"
NAT3 = "10.10.10.196"
NAT4 = "10.10.10.197"
NAT5 = "10.10.10.198"
NAT6 = "10.10.10.199"
NAT7 = "10.10.10.201"
NAT8 = "10.10.10.202"
NAT9 = "10.10.10.203"
NAT10 = "10.10.10.204"
NAT11 = "10.10.10.205"
NAT12 = "10.10.10.206"
NAT13 = "10.10.10.207"
NAT14 = "10.10.10.208"
NAT15 = "10.10.10.209"
NAT16 = "10.10.10.210"
NAT17 = "10.10.10.211"
NAT18 = "10.10.10.212"
NAT19 = "10.10.10.213"
NAT20 = "10.10.10.214"
NAT21 = "10.10.10.215"
NAT22 = "10.10.10.216"
NAT23 = "10.10.10.217"
NAT24 = "10.10.10.218"
NAT25 = "10.10.10.219"
#### All IP of Groups which can be connect to Internet
paltalk1 = "{ 192.168.0.20, 192.168.0.21, 192.168.0.22 }"
paltalk2 = "{ 192.168.0.23, 192.168.0.24, 192.168.0.25 }"
paltalk3 = "{ 192.168.0.26, 192.168.0.27, 192.168.0.28, 192.168.0.29 }"
webdsgn1 = "{ 192.168.0.30, 192.168.0.31, 192.168.0.32 }"
webdsgn2 = "{ 192.168.0.33, 192.168.0.34, 192.168.0.35 }"
webdsgn3 = "{ 192.168.0.36, 192.168.0.37, 192.168.0.38 }"
webdsgn4 = "{ 192.168.0.39, 192.168.0.40, 192.168.0.41 }"
webdsgn5 = "{ 192.168.0.42, 192.168.0.43, 192.168.0.44 }"
webdsgn6 = "{ 192.168.0.45, 192.168.0.46, 192.168.0.47 }"
webdsgn7 = "{ 192.168.0.48, 192.168.0.49, 192.168.0.50 }"
webdsgn8 = "{ 192.168.0.51, 192.168.0.52, 192.168.0.53, 192.168.0.54 }"
rased1 = "{ 192.168.0.60, 192.168.0.61, 192.168.0.62 }"
rased2 = "{ 192.168.0.63, 192.168.0.64, 192.168.0.65 }"
rased3 = "{ 192.168.0.66, 192.168.0.67, 192.168.0.68 }"
rased4 = "{ 192.168.0.69, 192.168.0.70 }"
rased5 = "{ 192.168.0.200, 192.168.0.201, 192.168.0.202, 192.168.0.203, 192.168.0.204, 192.168.0.205 }"
rased6 = "{ 192.168.0.206, 192.168.0.207, 192.168.0.208, 192.168.0.209, 192.168.0.210, 192.168.0.211 }"
rased7 = "{ 192.168.0.212, 192.168.0.213, 192.168.0.214, 192.168.0.215, 192.168.0.216, 192.168.0.217 }"
rased8 = "{ 192.168.0.218, 192.168.0.219, 192.168.0.220, 192.168.0.221, 192.168.0.222, 192.168.0.223, 192.168.0.224, 192.168.0.225 }"
admin1 = "{ 192.168.0.55, 192.168.0.56, 192.168.0.57 }"
admin2 = "{ 192.168.0.58, 192.168.0.59 }"
############################### TABLES ############################################################
#Define privileged network address sets
table <priv_nets> const { 127.0.0.0/8, 192.168.0.0/16, 13.13.0.0/12, 10.0.0.0/8, 0.0.0.0/8, \
14.14.0.0/16, 192.0.2.0/24, 15.15.15.0/23, 224.0.0.0/3 }
table <badguys> persist file "/usr/local/pf/Network/blocklist.lst"
table <hackers> persist file "/usr/local/pf/Network/hackers.lst"
#Define Favoured client hosts
table <Admin> persist file "/usr/local/pf/Network/Admin.lst"
table <Paltalk> persist file "/usr/local/pf/Network/Paltalk.lst"
table <WebDsgn> persist file "/usr/local/pf/Network/WebDsgn.lst"
table <Rased> persist file "/usr/local/pf/Network/Rased.lst"
table <LocalHost> const { self }
############################### OPTIONS ############################################################
#Default behaviour
set timeout { interval 10, frag 30 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
set timeout { adaptive.start 0, adaptive.end 0 }
set limit { states 10000, frags 5000 }
set loginterface $ext_if
set optimization normal
set block-policy drop
set require-order yes
set fingerprints "/etc/pf.os"
set skip on lo0
#set state-policy if-bound
############################### TRAFFIC NORMALIZATION ##############################################
#Filter traffic for unusual packets
scrub in all
############################### TRANSLATION ######################################################
#NAT for the external traffic
#Mask internal ip addresses with actual external ip address
#nat pass on $ext_if from $Local_net to any -> $SERVER
match out on egress inet from !(paltalk1) to any nat-to (NAT1)
match out on egress inet from !(paltalk2) to any nat-to (NAT2)
match out on egress inet from !(paltalk3) to any nat-to (NAT3)
match out on egress inet from !(webdsgn1) to any nat-to (NAT4)
match out on egress inet from !(webdsgn2) to any nat-to (NAT5)
match out on egress inet from !(webdsgn3) to any nat-to (NAT6)
match out on egress inet from !(webdsgn4) to any nat-to (NAT7)
match out on egress inet from !(webdsgn5) to any nat-to (NAT8)
match out on egress inet from !(webdsgn6) to any nat-to (NAT9)
match out on egress inet from !(webdsgn7) to any nat-to (NAT10)
match out on egress inet from !(webdsgn8) to any nat-to (NAT11)
match out on egress inet from !(rased1) to any nat-to (NAT12:0)
match out on egress inet from !(rased2) to any nat-to (NAT13)
match out on egress inet from !(rased3) to any nat-to (NAT14)
match out on egress inet from !(rased4) to any nat-to (NAT15)
match out on egress inet from !(rased5) to any nat-to (NAT16)
match out on egress inet from !(rased6) to any nat-to (NAT17)
match out on egress inet from !(rased7) to any nat-to (NAT18)
match out on egress inet from !(rased8) to any nat-to (NAT19)
match out on egress inet from !(admin1) to any nat-to (NAT20)
match out on egress inet from !(admin2) to any nat-to (NAT21)
############################### PACKET FILTERING #################################################
# Default Rule
pass quick on { $ext_if, $int_if } all keep state
please help me to find mistake in this new pf.conf .
I have 27 valid or static IPs and I want each Static IPs or valid IPs work with 3 invalid IPs.
please help me id I have mistake in this pf.conf . solve it .