/etc/pf.conf
ext_if = "re0" # macro for external interface - use tun0 for PPPoE int_if = "re1" # macro for internal interface # ext_if IP address is (may be) dynamic match out on $ext_if inet nat-to ($ext_if) block all pass inet proto tcp from { lo0, $int_if:network }