> rdr pass on $extif proto tcp from any to any port 21 -> 127.0.0.1 port 8021
This makes inbound packets destined to port 21 on your box go to the proxy. But they'll be blocked because you don't have a pass rule anywhere to allow them. > block drop in log quick on $extif from $privnets to any This blocks all DHCP traffic, given that your ISP is using RFC 1918 addresses internally (10.x). Stop trying to drop this traffic, at least for 10/8. > pass out quick log on $extif proto udp from ($extif) port 68 to $dhcp > port 67 keep state > > pass in quick log on $extif proto udp from ($dhcp) port 67 to ($extif) > port 68 keep state That's not the best way to deal with DHCP. Remember when you start up, you don't have an IP, so your packets will be coming from 0.0.0.0! And they will be sent to the local-broadcast address 255.255.255.255. When your ISP's DHCP server reponds, that will be the first "real" address in the exchange, and that's a 10/8. All in all, you need to just bite the bullet and put a: pass out quick on $ext_if all keep state somewhere in there, it will make life much easier. The rdr rule won't do what you want. You're trying to munge the destination IP on an outbound packet. rdr munges the destination IP on inbound packets. nat munges the source IP on outbound packets. Nothing pf can do does what you want. BTW, quick rules are fine, continue to use them. Only use non-quicks if you can't avoid it. PS: Your bridging firewall will make remotely adminstering your firewall difficult, if not impossible IIUC. For example, how would you download a program you need (answer: you can't)? How would you update the firewall rules (answer: on the console)? How would you remote-log, or keep your clock accurate, or do anything with the box? How would you read the email that gets sent to root (answer: console again). Sounds like a major PITA if you ask me. -- Security Guru for Hire http://www.lightconsulting.com/~travis/ -><- GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484
