Merge pull request #76 from mekanix/feature/pf

Improve initial pf.conf

templates/pf.conf

@@ -3,7 +3,6 @@ ext_if = "EGRESS"
 # SyncThing example
 # tcp_ports = "{ 22000, 3000 }"
 # udp_ports = "{ 21027 }"
-nfs_ports = "{ sunrpc, nfsd-status, nfsd, lockd }"
 table <cbsd> persist
 
 # Options
@@ -14,19 +13,17 @@ set skip on lo0
 scrub in all
 
 # NAT
+rdr-anchor "cbsd/*" on $ext_if
 nat on $ext_if from <cbsd> to any -> ($ext_if)
 RDR
 
 # Quick rules
 antispoof quick for ($ext_if)
 
 # Rules
-block in log all
-pass in on ! $ext_if proto udp from any to any port bootps
-pass in from { <cbsd>, JAIL_INTERFACE_IP, INTERFACE_IP } to any
-pass out all keep state
+block in log on $ext_if
+pass out
 pass proto tcp to any port ssh
 pass inet proto { icmp, igmp }
 # pass in proto tcp from any to any port $tcp_ports
 # pass in proto udp from any to any port $udp_ports
-pass in on INTERFACE proto { tcp, udp } from any to any port $nfs_ports