pf防火牆nat注意

在ext_if上做nat
no nat on $ext_if from ($ext_if) to any
nat on $ext_if from any to any -> ($ext_if)


# xxx order (讓ctlgp裡的人可以用80 443連到xxx_gw)
rdr on $int_if proto tcp from to ($int_addr) port 80 -> $xxx_gw
rdr on $int_if proto tcp from to ($int_addr) port 443 -> $xxx_gw

# ccc order to xxx()
rdr on $int_if proto tcp from $ccc_mobileb to ($int_addr) port $xxxport1 -> $xxx_gw port 80
rdr on $int_if proto tcp from $ccc_mobileb to ($int_addr) port $xxxport2 -> $xxx_gw port 443




#for ccc rdr order
pass in log on $int_if proto tcp from $ccc_mobileb to { $xxx_gw } port { $xxx_gw_port1 $xxx_gw_port2 } flags S/SA keep state (tcp.established 600)
pass out log on $ext_if proto tcp from ($ext_if) to { $xxx_gw } port { $xxx_gw_port1 $xxx_gw_port2 } flags S/SA keep state (tcp.established 600)

注意pass out部份，因為ext_if有做nat，所以tcp from 就要從(ext_if)到($xxx_gw)這樣才會通