|Building The Network You Need With PF, The OpenBSD Packet Filter: BSDCan 2016, Ottawa, Canada, June 8th 2016|
Default deny (aka block all)
Allow access from anywhere to DMZ hosts for certain services
Allow access from local net to DMZ, local net to anywhere port $client_out
Allow access from DMZ to anywhere for some services.
Your task: Test that this works, valid traffic passes.
Test stuff that shouldn't work too, make sure it breaks.