#### VARIABLES ##### networklocalnet = "10.0.0.0/24"externip = "**.***.***

1. #### VARIABLES ####
2. # network
3. localnet = "10.0.0.0/24"
4. externip = "**.***.***.**"
5. if = "le0"
6.  
7. # services
8. tcp_in = "{ ssh, www }"
9. tcp_out = "{ ssh, www, auth, ftp, ftp-data }"
10. udp_s = "{ domain, ntp }"
11. jail_in = "{ ssh, www }"
12.  
13. #### NAT and RDR ####
14. # Redirect all ftp traffic to proxy
15. nat-anchor "ftp-proxy/*"
16. rdr-anchor "ftp-proxy/*"
17. rdr pass proto tcp from any to any port ftp -> 127.0.0.1 port 8021
18.  
19. # Redirect https to ssh (ssh does not listen to localhost)
20. rdr pass proto tcp from any to any port https -> $externip port ssh
21.  
22. # NAT for the jails
23. nat on $if from $localnet to any -> $externip
24.  
25. #### Filtering ####
26. block all
27.  
28. anchor "ftp-proxy/*"
29.  
30. pass from { lo0, $localnet } to any
31.  
32. pass proto { tcp, udp } to any port $udp_s
33. pass in proto tcp to any port $tcp_in
34. pass out proto tcp to any port $tcp_out
35.  
36. # Jails
37. pass in proto tcp to $localnet port $jail_in
38. pass out proto tcp from $localnet to any port $tcp_out