After much delay, here is my pf.conf.
Code:
#####################################################
## Available range: a.b.c.d.66 -> a.b.c.d.126 ##
#####################################################
# Public IP Addresses #
main_ext_ip = "a.b.c.d.66"
routing_ip = "a.b.c.d.65"
sync_pub_ip = "a.b.c.d.100"
screen_pub_ip = "a.b.c.d.101"
# Important Internal IP Addresses #
netfs = "192.168.0.152"
localscreen = "192.168.0.221"
# Other Variables#
ext_if="em0" #WAN
int_if="em1" #LAN
set loginterface em0
set loginterface em1
table <binat> {\
$localscreen\
$netfs\
}
table <rfc1918> const \
{ 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }
##===================================================
## Block stuff
##===================================================
block in log on $ext_if
block in log quick on $ext_if from <rfc1918> to any
block out log quick on $ext_if from <rfc1918> to any
pass out log
# ==================================================================================
######## Allow ICMP ping ####Ping test to make sure we can get to host
pass in inet proto icmp from any to any icmp-type $icmp_types modulate state
### Note: it does work for $sync_pub_ip but not $screen_pub_ip ??? # <- THIS IS A CLUE!?!
# ==================================================================================
pass log on $ext_if from $netfs to any binat-to $sync_pub_ip
pass log on $ext_if from $localscreen to any binat-to $screen_pub_ip
match out log inet from ! $ext_if to any nat-to $ext_if
pass in log on $ext_if proto { tcp, udp } from any to $sync_pub_ip port { 873 ftp ftp-data 22 21 } rdr-to $netfs
match in log on $ext_if to $screen_pub_ip
pass in log on $ext_if:0 proto { tcp, udp } to $screen_pub_ip port { 81 82 3306 3312 } nat-to $localscreen
pass out log on $ext_if from $localscreen nat-to $screen_pub_ip
match out log on $ext_if from $localscreen to any nat-to $screen_pub_ip
-------------------------------------------------------------------------------
match in log on $ext_if proto { tcp, udp } from any to $screen_pub_ip:0 port { 81 82 3306 3312 52530 } rdr-to $localscreen
match out log on $ext_if from $screen_pub_ip:0 to $localscreen nat-to $ext_if
pass out log on $ext_if from $int_if:network to any
pass in log on $ext_if from $screen_pub_ip:0 nat-to $localscreen
I would really love to hear any suggestions that you might have.
EDIT: If anybody could give me some hints about paring this down, and/or optimizing the layout and code I would be greatful. I am trying to make this thing very efficient too but I know I have a lot of things that are redundant.