Sample pf.conf for NAT in OpenBSD 4.7

pf.conf

# Test OpenBSD 4.7 pf.conf for NAT and redirection
#  (including access from DMZ to DMZ via external address)

# 192.168.1.0/24 (public LAN) -> (fxp0/.44)Firewall(fxp1/.1) -> 192.168.4.0 (private DMZ)

set skip on lo
set require-order yes

# fxp1 is private (DMZ)
# fxp0 has the default gw and is covered by the egress interface group
IF_PRIVATE="fxp1"

# Host in the DMZ that serves HTTP and DNS
HOST_PRIVATE="192.168.4.2"

# General outbound access from DMZ
pass in log on $IF_PRIVATE inet
pass out log inet all

# NAT all outbound traffic from DMZ to external networks onto external firewall IP
match out log on egress inet from $IF_PRIVATE:network to ! $IF_PRIVATE:network nat-to egress

# NAT individual inbound traffic from DMZ to DMZ (via public IP) onto internal firewall IP
match out log on $IF_PRIVATE from $IF_PRIVATE:network to $IF_PRIVATE:network nat-to $IF_PRIVATE

# Access to firewall port 22
pass in on egress inet proto tcp from any to egress port 22

# Port forward from external to DMZ server Port 2222 -> Port 22
pass in log on egress inet proto tcp from any to egress port 2222  rdr-to $HOST_PRIVATE port 22

# Port forward from external to DMZ server Port 80
pass in log on egress inet proto tcp from any to egress port www rdr-to $HOST_PRIVATE               

# Port forward from external to DMZ server DNS Port 53
pass in log on egress inet proto {udp,tcp} from any to egress port domain rdr-to $HOST_PRIVATE

# Redirect (some) internal traffic to external interface back to internal 
pass in log on $IF_PRIVATE inet proto tcp to egress port www rdr-to $HOST_PRIVATE
pass in log on $IF_PRIVATE inet proto {udp,tcp} to egress port domain rdr-to $HOST_PRIVATE