# in VirtualBox
ext_if = em0

# real machine
#ext_if = re0

smtp_srv = 192.168.0.33

# martians
table <intNetworks> const { 192.168.0.0/24, 192.168.10.0/24, \
			192.168.100.0/24 }

# default rule, block all
block all

# no IPv6
block quick inet6

set loginterface $ext_if 

match in all scrub (no-df)

antispoof quick for $ext_if

out_tcp_services = "{ssh, domain}"
out_udp_services = "{domain, ntp, bootps}"
out_icmp_types = "{echoreq,unreach}"

in_tcp_services = "{ssh}"
in_udp_services = "{bootpc}"
in_icmp_types = "{echoreq,unreach}"

pass out on $ext_if inet proto udp to port 33433 >< 33626

pass out inet proto tcp to port $out_tcp_services
pass out inet proto udp to port $out_udp_services 
pass out inet proto icmp all icmp-type $out_icmp_types

pass in inet proto tcp to port $in_tcp_services
pass in inet proto icmp all icmp-type $in_icmp_types

match out on $ext_if from <intNetworks> nat-to ($ext_if)

match in on $ext_if proto tcp from any to $ext_if port smtp rdr-to $smtp_srv port 9999

pass in quick on $ext_if inet proto tcp from 192.168.0.1 to 192.168.0.252 port http flags S/SA synproxy state