I want copy pf.conf from FreeBSD 8.2 to OpenBSD 5 and use it

[Gholam Mostafa Faridi]

Hi
In work place , we have over 24 computer and all of them are windows and 
, I have NAT server . this NAT server use FreeBSD 8.2 AMD 64 , and I use 
PF for NAT with FreeBSD 8.2 . after many search in google , I find this 
pf.conf

====================================================
ns# cat  /usr/local/pf/pf.conf
# $FreeBSD: src/share/examples/pf/faq-example1,v 1.1 2004/09/14 01:07:18 
mlaier Exp $
# $OpenBSD: faq-example1,v 1.2 2003/08/06 16:04:45 henning Exp $
# Edited by: mfaridi

################################ MACROS 
############################################################

ext_if          = "sk0"
int_if          = "re0"
External_net    = "10.10.10.192/27"
Local_net       = "192.168.0.0/24"
Local_Web       = "192.168.0.10"
Local_Srv       = "192.168.0.1"
Prtcol          = "{ tcp, udp }"
Admin_IP        = "{ 10.10.10.192/27, 11.11.11.0/21, 12.12.12.0/18 }"
ICMP_Types      = "{ echorep, unreach, squench, echoreq, timex }"

#Define ports for common internet services
#TCP_SRV         = "{ 25, 53, 80, 110, 143, 443, 465, 587, 993, 995, 
8443 }"
#UDP_SRV         = "{ 53 }"
TCP_SRV         = "{ 80, 443 }"
UDP_SRV         = "{ }"
Samba_TCP       = "{ 139, 445 }"
Samba_UDP       = "{ 137, 138 }"


SERVER          = "10.10.10.200"
NAT1            = "10.10.10.194"
NAT2            = "10.10.10.195"
NAT3            = "10.10.10.196"
NAT4            = "10.10.10.197"
NAT5            = "10.10.10.198"
NAT6            = "10.10.10.199"
NAT7            = "10.10.10.201"
NAT8            = "10.10.10.202"
NAT9            = "10.10.10.203"
NAT10           = "10.10.10.204"
NAT11           = "10.10.10.205"
NAT12           = "10.10.10.206"
NAT13           = "10.10.10.207"
NAT14           = "10.10.10.208"
NAT15           = "10.10.10.209"
NAT16           = "10.10.10.210"
NAT17           = "10.10.10.211"
NAT18           = "10.10.10.212"
NAT19           = "10.10.10.213"
NAT20           = "10.10.10.214"
NAT21           = "10.10.10.215"
NAT22           = "10.10.10.216"
NAT23           = "10.10.10.217"
NAT24           = "10.10.10.218"
NAT25           = "10.10.10.219"

#### All IP of Groups which can be connect to Internet
paltalk1        = "{ 192.168.0.20, 192.168.0.21, 192.168.0.22 }"
paltalk2        = "{ 192.168.0.23, 192.168.0.24, 192.168.0.25 }"
paltalk3        = "{ 192.168.0.26, 192.168.0.27, 192.168.0.28, 
192.168.0.29 }"
webdsgn1        = "{ 192.168.0.30, 192.168.0.31, 192.168.0.32 }"
webdsgn2        = "{ 192.168.0.33, 192.168.0.34, 192.168.0.35 }"
webdsgn3        = "{ 192.168.0.36, 192.168.0.37, 192.168.0.38 }"
webdsgn4        = "{ 192.168.0.39, 192.168.0.40, 192.168.0.41 }"
webdsgn5        = "{ 192.168.0.42, 192.168.0.43, 192.168.0.44 }"
webdsgn6        = "{ 192.168.0.45, 192.168.0.46, 192.168.0.47 }"
webdsgn7        = "{ 192.168.0.48, 192.168.0.49, 192.168.0.50 }"
webdsgn8        = "{ 192.168.0.51, 192.168.0.52, 192.168.0.53, 
192.168.0.54 }"
rased1          = "{ 192.168.0.60, 192.168.0.61, 192.168.0.62 }"
rased2          = "{ 192.168.0.63, 192.168.0.64, 192.168.0.65 }"
rased3          = "{ 192.168.0.66, 192.168.0.67, 192.168.0.68 }"
rased4          = "{ 192.168.0.69, 192.168.0.70 }"
rased5          = "{ 192.168.0.200, 192.168.0.201, 192.168.0.202, 
192.168.0.203, 192.168.0.204, 192.168.0.205 }"
rased6          = "{ 192.168.0.206, 192.168.0.207, 192.168.0.208, 
192.168.0.209, 192.168.0.210, 192.168.0.211 }"
rased7          = "{ 192.168.0.212, 192.168.0.213, 192.168.0.214, 
192.168.0.215, 192.168.0.216, 192.168.0.217 }"
rased8          = "{ 192.168.0.218, 192.168.0.219, 192.168.0.220, 
192.168.0.221, 192.168.0.222, 192.168.0.223, 192.168.0.224, 
192.168.0.225  }"
admin1          = "{ 192.168.0.55, 192.168.0.56, 192.168.0.57 }"
admin2          = "{ 192.168.0.58, 192.168.0.59 }"

############################### TABLES 
############################################################

#Define privileged network address sets
table <priv_nets> const { 127.0.0.0/8, 192.168.0.0/16, 13.13.0.0/12, 
10.0.0.0/8, 0.0.0.0/8, \
                          14.14.0.0/16, 192.0.2.0/24, 15.15.15.0/23, 
224.0.0.0/3 }
table <badguys> persist file "/usr/local/pf/Network/blocklist.lst"
table <hackers> persist file "/usr/local/pf/Network/hackers.lst"

#Define Favoured client hosts
table <Admin>   persist file "/usr/local/pf/Network/Admin.lst"
table <Paltalk> persist file "/usr/local/pf/Network/Paltalk.lst"
table <WebDsgn> persist file "/usr/local/pf/Network/WebDsgn.lst"
table <Rased>   persist file "/usr/local/pf/Network/Rased.lst"
table <LocalHost> const { self }

############################### OPTIONS 
############################################################
#Default behaviour
set timeout { interval 10, frag 30 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
set timeout { adaptive.start 0, adaptive.end 0 }
set limit { states 10000, frags 5000 }
set loginterface $ext_if
set optimization normal
set block-policy drop
set require-order yes
set fingerprints "/etc/pf.os"
set skip on lo0
#set state-policy if-bound


############################### TRAFFIC NORMALIZATION 
##############################################
#Filter traffic for unusual packets
scrub in all


############################### TRANSLATION 
######################################################

#NAT for the external traffic
#Mask internal ip addresses with actual external ip address
#nat pass on $ext_if from $Local_net to any -> $SERVER

nat pass on $ext_if from $paltalk1 to any -> $NAT1
nat pass on $ext_if from $paltalk2 to any -> $NAT2
nat pass on $ext_if from $paltalk3 to any -> $NAT3
nat pass on $ext_if from $webdsgn1 to any -> $NAT4
nat pass on $ext_if from $webdsgn2 to any -> $NAT5
nat pass on $ext_if from $webdsgn3 to any -> $NAT6
nat pass on $ext_if from $webdsgn4 to any -> $NAT7
nat pass on $ext_if from $webdsgn5 to any -> $NAT8
nat pass on $ext_if from $webdsgn6 to any -> $NAT9
nat pass on $ext_if from $webdsgn7 to any -> $NAT10
nat pass on $ext_if from $webdsgn8 to any -> $NAT11
nat pass on $ext_if from $rased1   to any -> $NAT12
nat pass on $ext_if from $rased2   to any -> $NAT13
nat pass on $ext_if from $rased3   to any -> $NAT14
nat pass on $ext_if from $rased4   to any -> $NAT15
nat pass on $ext_if from $rased5   to any -> $NAT16
nat pass on $ext_if from $rased6   to any -> $NAT17
nat pass on $ext_if from $rased7   to any -> $NAT18
nat pass on $ext_if from $rased8   to any -> $NAT19
nat pass on $ext_if from $admin1   to any -> $NAT20
nat pass on $ext_if from $admin2   to any -> $NAT21


#rdr on $ext_if proto tcp from $Admin_IP to $SERVER port 5900 -> 
192.168.0.100 port 5900
#rdr on $ext_if proto tcp from $Admin_IP to $SERVER port 2222 -> 
192.168.0.50 port 22

############################### PACKET FILTERING 
#################################################

# Default Rule
pass quick on { $ext_if, $int_if } all keep state




# End of File: pf.conf
=========================================================================================================================== 

I have 27 valid or static IPs,
all users  in my work place use paltalk , paltalk is messenger like 
yahoo messenger and use for voice chat , and paltalk like yahoo has many 
rooms for voice chat , but paltalk servers do not let users login with 
three different room from one valid IP or static IP . or paltalk server 
only let user login to three room from only one IP , and from one IP 
only three computer can login to paltalk server and use it . so we get 
27 valid or static IPs from ISP ,and I put all of them in my pf.conf 
.and set many NAT line in my pf.conf.
but I think my pf.conf has problem and I do not know why sometimes some 
users in work place can not use internet , when they open firefox and 
start browse web pages ,they see error , but when they can not browse 
web pages , their paltalk messenger is ON and they have voice chat , but 
they can not browse webpages , this problem can solve when I reboot 
server or disable and enable PF. but after one days or more this problem 
happen again , and some user can not browse web pages with firefox and 
other browser but they can voice chat
sometimes another problem happen , users can browse web pages , but they 
can not chat with paltalk messnger and I have to reboot server or 
disable and enable PF.

my knowledege about PF is not a lot
and I find this pf.conf from internet and  make it with many test .

I want only do NAT with PF and I do not want block ports or other policy 
. I want only PF for NAT.
please help me to solve this problem.


after search  google I understand PF version in FreeBSD 8.2 is very old 
, and after that I want use OpenBSD 5 for NAT server. and I want use it 
, but after search in google I understand NAT config in old PF is much 
different with new PF , and I know we can find new PF in OpenBSD 5

please help me to use my pf.conf in OpenBSD 5 ?
can I use this pf.conf in OpenBSD 5 or no ?
do I make mistake in my pf.conf ?



please help me to make best pf for NAT with OpenBSD 5

thanks