<span class="hljs-comment"># from the PF FAQ: http://www.openbsd.org/faq/pf/example1.html</span>

<span class="hljs-comment"># macros</span>

int_if=<span class="hljs-string">&quot;xl0&quot;</span>

tcp_services=<span class="hljs-string">&quot;{ 22, 113 }&quot;</span>
icmp_types=<span class="hljs-string">&quot;echoreq&quot;</span>

comp3=<span class="hljs-string">&quot;192.168.0.3&quot;</span>

<span class="hljs-comment"># options</span>

<span class="hljs-built_in">set</span> <span class="hljs-keyword">block-policy</span> return
<span class="hljs-built_in">set</span> <span class="hljs-keyword">loginterface</span> <span class="hljs-literal">egress</span>
<span class="hljs-built_in">set</span> <span class="hljs-keyword">skip</span> <span class="hljs-keyword">on</span> lo

<span class="hljs-comment"># FTP Proxy rules</span>

<span class="hljs-built_in">anchor</span> <span class="hljs-string">&quot;ftp-proxy/*&quot;</span>

<span class="hljs-built_in">pass</span> <span class="hljs-keyword">in</span> <span class="hljs-keyword">quick</span> <span class="hljs-keyword">on</span> <span class="hljs-variable">$int_if</span> <span class="hljs-keyword">inet</span> <span class="hljs-keyword">proto</span> tcp <span class="hljs-keyword">to</span> <span class="hljs-literal">any</span> <span class="hljs-keyword">port</span> ftp \
    <span class="hljs-keyword">divert-to</span> <span class="hljs-number">127.0</span>.<span class="hljs-number">0.1</span> <span class="hljs-keyword">port</span> <span class="hljs-number">8021</span>

<span class="hljs-comment"># match rules</span>

<span class="hljs-built_in">match</span> <span class="hljs-keyword">out</span> <span class="hljs-keyword">on</span> <span class="hljs-literal">egress</span> <span class="hljs-keyword">inet</span> <span class="hljs-keyword">from</span> !(<span class="hljs-literal">egress</span>:network) <span class="hljs-keyword">to</span> <span class="hljs-literal">any</span> <span class="hljs-keyword">nat-to</span> (<span class="hljs-literal">egress</span>:<span class="hljs-number">0</span>)

<span class="hljs-comment"># filter rules</span>

<span class="hljs-built_in">block</span> <span class="hljs-keyword">in</span> <span class="hljs-keyword">log</span>
<span class="hljs-built_in">pass</span> <span class="hljs-keyword">out</span> <span class="hljs-keyword">quick</span>

<span class="hljs-built_in">antispoof</span> <span class="hljs-keyword">quick</span> <span class="hljs-keyword">for</span> { lo <span class="hljs-variable">$int_if</span> }

<span class="hljs-built_in">pass</span> <span class="hljs-keyword">in</span> <span class="hljs-keyword">on</span> <span class="hljs-literal">egress</span> <span class="hljs-keyword">inet</span> <span class="hljs-keyword">proto</span> tcp <span class="hljs-keyword">from</span> <span class="hljs-literal">any</span> <span class="hljs-keyword">to</span> (<span class="hljs-literal">egress</span>) \
    <span class="hljs-keyword">port</span> <span class="hljs-variable">$tcp_services</span>

<span class="hljs-built_in">pass</span> <span class="hljs-keyword">in</span> <span class="hljs-keyword">on</span> <span class="hljs-literal">egress</span> <span class="hljs-keyword">inet</span> <span class="hljs-keyword">proto</span> tcp <span class="hljs-keyword">to</span> (<span class="hljs-literal">egress</span>) <span class="hljs-keyword">port</span> <span class="hljs-number">80</span> <span class="hljs-keyword">rdr-to</span> <span class="hljs-variable">$comp3</span>

<span class="hljs-built_in">pass</span> <span class="hljs-keyword">in</span> <span class="hljs-keyword">inet</span> <span class="hljs-keyword">proto</span> icmp <span class="hljs-literal">all</span> <span class="hljs-keyword">icmp-type</span> <span class="hljs-variable">$icmp_types</span>

<span class="hljs-built_in">pass</span> <span class="hljs-keyword">in</span> <span class="hljs-keyword">on</span> <span class="hljs-variable">$int_if</span>
