Our current rules use "ext_if" to open some ports. Here is an example of the generated rules:
# pfctl -s rules
match out on re0 inet from 192.168.99.0/24 to any nat-to (re0) round-robin
block return log all
pass inet proto icmp from any to 127.0.0.1
pass inet proto icmp from any to 1.2.3.4
pass inet proto icmp from any to 192.168.99.100
pass inet from 127.0.0.1 to any flags S/SA
pass inet from 1.2.3.4 to any flags S/SA
pass inet from 192.168.99.0/24 to any flags S/SA
pass on lo0 inet6 from fe80::1 to any flags S/SA
pass inet6 from ::1 to any flags S/SA
pass in on re0 inet proto tcp from any to 1.2.3.4 port = 8022 flags S/SA rdr-to 192.168.99.100 port 22
pass on re1 inet proto tcp from any to 192.168.99.100 port = 22 flags S/SA
#
1.2.3.4 was my public IP. When re0 (the WAN port) was down, PF failed to start, and as a result there was no networking. Also, if the IP address in the WAN port changes PF would need to be restarted. I guess we need to find a better approach here.
Our current rules use "ext_if" to open some ports. Here is an example of the generated rules:
1.2.3.4 was my public IP. When re0 (the WAN port) was down, PF failed to start, and as a result there was no networking. Also, if the IP address in the WAN port changes PF would need to be restarted. I guess we need to find a better approach here.