'sticky' action, does not affect pass/block, typical use
ext_if = "xl0" # change to match *your* external interface
hiddenhost = 192.0.2.67
# ... see the sample file
match out on $ext_if from <clients> nat-to ($ext_if)
match in on egress proto tcp to port smtp rdr-to $hiddenhost
pass from <clients> # and so forth [...]Load the sample file
$ sudo pfctl -vnf samples/example007