The redirection doesn't work on $ext_if because the SYN from the client to port 80 just doesn't pass $ext_if (in plain, it arrives ssh encapsulated).
Redirection on lo0 is tricky, as the SYN will first go out on lo0 (where the rdr doesn't apply, rdr only applies to incoming connections). But it will then also come in on lo0, and the rdr might apply. But changing the destination address at that point will not cause a re-routing to the internal server. You could try using state-policy if-bound and a 'pass out on lo0 route-to $int_if keep state' rule. But it's going to take some debugging until it works (if you get it to work at all). Why don't you just use 'ssh -L 8000:server:80 router' and point the client's browser to 127.0.0.1:8000, so the connection gets tunneled over ssh to the remote server? Daniel
