I must say that thanks to your help on this list I've finally managed to get it working. I have bought FreeBSD CD sets in the past as a means to donate and I intend to buy 5.0 sets now because I believe strongly in open source software.
Well it was also thanks to some pf.conf samples I found online from 4.7 and 4.8. http://mouedine.net/ruleset49.aspx http://serverfault.com/questions/175405/help-me-upgrade-my-pf-conf-for-openbsd-4-7 The only thing I have yet to solve is the ftp-proxy redirection. Here is my current ruleset. Here's my current pfctl -vf output. block drop all pass in quick on vic0 inet proto tcp from any to 10.220.100.0/24 port = 1022 flags S/SA keep state label "PassInMGMTSSH" pass in quick on vic0 inet proto tcp from any to 10.220.100.0/24 port = ssh flags S/SA keep state label "PassInMGMTSSH" pass out quick on vic0 inet proto tcp from 10.220.100.0/24 to any port = 1022 flags S/SA keep state label "PassOutMGMTSSH" pass out quick on vic0 inet proto tcp from 10.220.100.0/24 to any port = ssh flags S/SA keep state label "PassOutMGMTSSH" pass on vic0 proto udp from any to any port = domain keep state label "PassMGMTDNS" pass on vic0 inet proto icmp all icmp-type echorep keep state label "PassMGMTICMP" pass on vic0 inet proto icmp all icmp-type echoreq keep state label "PassMGMTICMP" pass on vic0 inet proto icmp all icmp-type unreach keep state label "PassMGMTICMP" pass quick on vic2 proto carp all keep state label "CUST-PassCarp" pass quick on vic3 proto carp all keep state label "CUST-PassCarp" pass in on vic2 inet proto icmp from any to 50.50.50.0/24 icmp-type echoreq keep state label "CUST-PingOut" pass in on vic2 inet proto icmp from any to 50.50.50.0/24 icmp-type echorep keep state label "CUST-PingOut" pass in on vic2 inet proto icmp from any to 50.50.50.0/24 icmp-type unreach keep state label "CUST-PingOut" pass in on vic3 inet proto icmp from 10.221.181.0/24 to 10.221.181.10 icmp-type echoreq keep state label "CUST-PingIn" pass in on vic3 inet proto icmp from 10.221.181.0/24 to 10.221.181.10 icmp-type echorep keep state label "CUST-PingIn" pass in on vic3 inet proto icmp from 10.221.181.0/24 to 10.221.181.10 icmp-type unreach keep state label "CUST-PingIn" match out on vic2 inet from 10.221.181.10 to any nat-to (vic2) round-robin match in on vic2 proto tcp from any to any port = smtp rdr-to <CUST_FrontendPool> round-robin match in on vic2 proto tcp from any to any port = www rdr-to <CUST_FrontendPool> round-robin match in on vic2 proto tcp from any to any port = ssh rdr-to <CUST_FrontendPool> round-robin match in on vic2 proto tcp from any to any port = 5222 rdr-to <CUST_FrontendPool> round-robin pass in on vic2 inet proto tcp from any to 10.221.181.21 port = smtp flags S/SA keep state pass in on vic2 inet proto tcp from any to 10.221.181.21 port = www flags S/SA keep state pass in on vic2 inet proto tcp from any to 10.221.181.21 port = ssh flags S/SA keep state pass in on vic2 inet proto tcp from any to 10.221.181.21 port = 5222 flags S/SA keep state pass in on vic2 inet proto tcp from any to 10.221.181.22 port = smtp flags S/SA keep state pass in on vic2 inet proto tcp from any to 10.221.181.22 port = www flags S/SA keep state pass in on vic2 inet proto tcp from any to 10.221.181.22 port = ssh flags S/SA keep state pass in on vic2 inet proto tcp from any to 10.221.181.22 port = 5222 flags S/SA keep state pass out on vic2 all flags S/SA keep state pass on vic3 all flags S/SA keep state anchor "ftp-proxy/*" all pass in quick inet proto tcp from any to any port = ftp flags S/SA keep state rdr-to 127.0.0.1 port 8021 pass out inet proto tcp from 127.0.0.1 to any port = ftp flags S/SA keep state All of this works sans the ftp-proxy, it is listening on 8021 and I get no errors in the syslog. Just a message that it started. If I tcpdump -i lo0 I get no packets at all. I do see packets coming in on the internal interface.
