basic filtering, NAT


  services = "{ ssh, smtp, domain, www, pop3, pop3s }"
  block
  pass out on egress nat-to (egress)
  pass in on egress proto tcp to 10.0.0.1 port $services
  pass in on egress proto tcp to port 8022 \ 
    rdr-to 10.0.0.1 port 22