Done. Thanks for that.
Now...
If the world-facing interface is xl0, and the LAN interface is xl1, what pf.conf rdr statement would I need to port 80 requests from the outside world a server on the internal LAN? I read the pf manual (alright, I skimmed it) and found an example config in there that would supposedly do this. I put the line in my pf.conf file and reloaded the conf (pfctl -f /etc/pf.conf), but it's not working.
Here's my current pf.conf...
zephyr# cat pf.conf
# $OpenBSD: faq-example1,v 1.2 2003/08/06 16:04:45 henning Exp $
#
# Firewall for Home or Small Office
#
http://www.openbsd.org/faq/pf/example1.html
#
# macros
int_if = "xl1"
ext_if = "xl0"
wwwserv = "192.168.1.127"
tcp_services = "{ 22, 113, 80 }"
icmp_types = "echoreq"
priv_nets = "{ 127.0.0.0/8, 192.168.1.0/24 }"
# options
set block-policy return
set loginterface $ext_if
# scrub
scrub in all
# nat/rdr
nat on $ext_if from $int_if:network to any -> ($ext_if)
# ADDED THE FOLLOWING LINE TO FORWARD WWW TRAFFIC TO INTERNAL SERVER
rdr on $ext_if proto tcp from any to any port 80 -> 192.168.1.127 \
port 80
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 \
port 8021
# filter rules
block all
pass quick on lo0 all
block drop in quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets
pass in on $ext_if inet proto tcp from any to ($ext_if) \
port $tcp_services flags S/SA keep state
pass in inet proto icmp all icmp-type $icmp_types keep state
pass in on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
zephyr#