/etc/pf.conf
ext_if = ep0 int_if = ep1 localnet= "192.0.2.0/24" webserver = "192.0.2.227" webports = "{ http, https }" emailserver = "192.0.2.225" email = "{ smtp, pop3, imap, imap3, imaps, pop3s }" nameservers = "{ 192.0.2.221, 192.0.2.223 }" client_out = "{ ssh, domain, pop3, auth, nntp, http, https, cvspserver, 2628, 5999, 8000, 8080 }" udp_services = "{ domain, ntp }" icmp_types = "{ echoreq, unreach }" set skip on $int_if block all pass quick on $ext_if inet proto { tcp, udp } from $localnet to any port $udp_services pass log on $ext_if inet proto icmp all icmp-type $icmp_types pass on $ext_if inet proto tcp from $localnet to any port $client_out pass on $ext_if inet proto { tcp, udp } from any to $nameservers port domain pass on $ext_if proto tcp from any to $webserver port $webports synproxy state pass log on $ext_if proto tcp from any to $emailserver port $email synproxy state pass log on $ext_if proto tcp from $emailserver to any port smtp synproxy state
(knock yourself out)