webserver = "192.168.2.7"
webports = "{ http, https }"
emailserver = "192.168.2.5"
email = "{ smtp, pop3, imap, imap3, imaps, pop3s }"
pass inet proto icmp icmp-type $icmp_types from $localnet
pass inet proto icmp icmp-type $icmp_types to $ext_if
pass in on $ext_if inet proto tcp to $ext_if port $webports rdr-to $webserver
pass in on $ext_if inet proto tcp to $ext_if port $email rdr-to $mailserver
pass on $int_if inet proto tcp to $webserver port $webports
pass on $int_if inet proto tcp to $mailserver port $emailPre-4.7:
webserver = "192.168.2.7"
webports = "{ http, https }"
emailserver = "192.168.2.5"
email = "{ smtp, pop3, imap, imap3, imaps, pop3s }"
rdr on $ext_if proto tcp from any to $ext_if port \
$webports -> $webserver
rdr on $ext_if proto tcp from any to $ext_if port \
$email -> $emailserver
pass in on $ext_if proto tcp from any to $webserver port $webports
pass in on $ext_if proto tcp from any to $emailserver port $email
pass out on $ext_if proto tcp from $emailserver to any port smtp Works with or without a separate dmz, but -