webserver = "192.168.2.7" webports = "{ http, https }" emailserver = "192.168.2.5" email = "{ smtp, pop3, imap, imap3, imaps, pop3s }" rdr on $ext_if proto tcp from any to $ext_if port $webports -> $webserver rdr on $ext_if proto tcp from any to $ext_if port $email -> $emailserver pass in on $ext_if proto tcp from any to $webserver port $webports \ flags S/SA synproxy state pass in on $ext_if proto tcp from any to $emailserver port $email \ flags S/SA synproxy state pass out on $ext_if proto tcp from $emailserver to any port smtp \ flags S/SA synproxy state
Works with or without a separate dmz, but -