# /etc/pf.conf
ext_if = "vtnet0"
ext_addr = $ext_if:0
int_if = "lo1"
jail_net = $int_if:network
jail_irc = "10.0.0.1"
jail_weerc = "10.0.0.2"
# ircd, ircs-u is from /etc/services 6667 6697 respectively
#irc_ports = "{ ircd, ircs-u }"
nat on $ext_if from $jail_net to any -> $ext_addr port 1024:65535 static-port
rdr on $ext_if proto tcp from any to $ext_if port 2222 -> $jail_irc port 22
rdr on $ext_if proto tcp from any to $ext_if port 2223 -> $jail_weerc port 22
#rdr on $ext_if proto tcp from any to $ext_if port 2222 -> $jail_net port 22
# more
# pass in proto tcp to port 22 keep state
# scrub in all
# ^ rule must also go above the filtering rules (and above the rdr to redirect ftp if you use it.)
# table <allowed> persist file "/etc/allowed"
# ^ a file example
# table <allowed> { 2.111.61.61 }
# block in on $ext_if
# pass in on $ext_if from <allowed> to any
# another example
# block in on $ext_if from <suspicious> to any
services_in = {ssh}
services_out = {http, https, ftp, ircd, ircs-u}
# put maybe in anchor to be loaded when needed
# http://srobb.net/pf.html
maybe_in = {rsync, openvpn}
maybe_out = {}
last updated march 2018