/etc/pf.conf
ext_if = "re0" # macro for external interface - use tun0 for PPPoE
int_if = "re1" # macro for internal interface
# ext_if IP address is (may be) dynamic
nat on $ext_if from $localnet to any -> ($ext_if)
block all
pass inet proto tcp from { lo0, $int_if:network } to any keep state