# See pf.conf(5) and /usr/share/pf for syntax and examples.

#NIC CARDS - I'M DENNY's IDIOCY
ext_if="xl0"
int_if="xl1"

#Hosts - mine
gv="192.168.0.2"
db="192.168.0.4"
webapp="192.168.0.3"
bak="192.168.0.5"
prickly="192.168.0.1"

#Hosts - Windows
gfs="10.21.1.121"
gpds="10.21.1.12"
print="10.21.0.210"

#Net's
dmz_net = "{" $gv $db $webapp $bak "}"
lan_net = "{ 10.21.0.0/16 10.23.0.0/16 }"

#Scrub
scrub in all

#NAT
nat on xl0 from xl1:network to any -> xl0
#www rdr
rdr on xl0 proto tcp from any to any port www -> 192.168.0.2
#ssh rdr
rdr on xl0 proto tcp from any to any port ssh -> 192.168.0.2
#smb
rdr on xl0 proto tcp from $lan_net to any port {137,138,139} -> 192.168.0.3
#print
rdr on xl0 proto tcp from $lan_net to any port 515 -> 192.168.0.3

block all

pass in quick on lo0
pass out quick on lo0

#SSH
pass in on $ext_if proto tcp from any to $gv port ssh flags S/SA keep state
pass out on $int_if proto tcp from $gv to any port ssh flags S/SA keep state
pass in on $ext_if proto tcp from $gv to $prickly port ssh flags S/SA keep state
pass out on $ext_if proto tcp from $prickly to $gv port ssh flags S/SA keep state

#WWW
pass in on $ext_if proto tcp from any to $gv port www flags S/SA synproxy state
pass out on $int_if proto tcp from $gv to any port www flags S/SA keep state

#SMB
pass in on $ext_if proto tcp from $gpds to $webapp port {137,138,139} flags S/SA keep state
pass out on $int_if proto tcp from $webapp to $gpds port {137,138,139} flags S/SA keep state

#TT print
pass in on $ext_if proto tcp from $print to $webapp port 515 flags S/SA keep state
pass out on $int_if proto tcp from $webapp to $print port 515 flags S/SA keep state


Ok, im pretty sure theres a lot wrong with this, so if people wouldnt mind pointing me towards correctness, Id really appreciate it