source: hybrid/branches/releng-9.0/nanobsd/files/etc/pf.proxy.conf@ 10418

all_node="172.31.255.1/32"
wl_net="172.16.0.0/12"
allow_ext_tcp="{22}"
allow_ext_udp="{161}"
allow_int_tcp="{22,3128}"
allow_int_udp="{53,161,12345}"
allow_int_udp_any="{67}"

private="{ 10.0.0.0/8 , 192.168.0.0/16 }"

# Nat the internet
nat on $ext_if from $wl_net to any port $publicnat -> ($ext_if) 

# Nat local wl access
nat on $int_if from $private to $wl_net -> ($int_if)

# Redirection, needs source natting and allow rules
#rdr on $ext_if inet proto tcp from any to $ext_if port 1022 -> 192.168.84.1 port 22    

# Localhost is considered safe
pass quick on lo0 all

# Block all
block in on $ext_if from any to $ext_if
block in on $int_if from any to $int_if

# Allow private to private
# Enable me to access anything
pass out on {$ext_if, $int_if} keep state

# Allow internet access from the network
pass in on $int_if inet proto tcp from $wl_net to any port $publicnat keep state
block in on $int_if inet proto tcp from $wl_net to $int_if port $publicnat

# Allow directives 
pass in on $ext_if inet proto tcp from any to $ext_if port $allow_ext_tcp keep state
pass in on $ext_if inet proto udp from any to $ext_if port $allow_ext_udp keep state

pass in on $int_if inet proto tcp from $wl_net to $int_if port $allow_int_tcp keep state
pass in on $int_if inet proto udp from $wl_net to $int_if port $allow_int_udp keep state
pass in on $int_if inet proto icmp from $wl_net to $int_if keep state

# Allow wl access from local network
pass on $ext_if from $private to $wl_net keep state

# Make sure to block local network access from wl
block on $int_if from $wl_net to $private

# Otherwise lvrouted breaks:
pass in on $int_if