I keep looking at the rules and finally decided to rewrite some of them.
This may not fix the issue you are having with openvpn tho. The issue with
that is most likely the passing out rules. This rule is kinda written wierd
and I suggest just removing it and passing everything out and verifying if
that is the cause. The problem is many connections that the host will open
is opened at the high end ports, I believe it was around 40000:65535. I
could be wrong tho and hope someone corrects my errors if so.

> # Pass out only the desired ports from host and jails
> pass inet proto tcp from {self, $jailnet, $vpnnet} to any port
$tcp_services $tcpstate
> pass inet proto udp from {self, $jailnet, $vpnnet} to port $udp_services
$udpstate

If ur still having issues with openvpn, with this ruleset, then first, try
changing the block all rule to block on ext_if. This will determine if a
pass rule internally is the cause.

> block all
block on $ext_if all

Going to CC freebsd-pf@freebsd.org I hope this helps

Ultima


#
# Required order: macros, options, normalization, queueing,
# translation, filtering.
# Note: translation rules are first match while filter rules are last match.

# Macros
ext_if="vtnet0"
ext_gateway="10.0.0.1"
int_if = "lo1"
vpn_if = "tun0"
jailnet = "10.0.0.0/8"
vpnnet="10.8.0.0/8"
icmp_types="{echoreq, unreach}"
#IPV6 ICMP types:
# packet to big and echo request type ping
# Neighbor Discovery Protocol (NDP) (types 133-137):
#   Router Solicitation (RS), Router Advertisement (RA)
#   Neighbor Solicitation (NS), Neighbor Advertisement (NA)
#   Route Redirection
icmp6_types="{ 2, 128, 133, 134, 135, 136, 137 }"
#synstate="flags S/SA synproxy state (max-src-conn 15, max-src-conn-rate
5/3, overload <bruteforce> flush global)"
tcpstate="flags S/SA modulate state"
udpstate="keep state"

# allowed traffic
tcp_services="{7, ftp-data, ftp, ssh, smtp, 43, domain, bootps, bootpc,
http, imap, https, submission, imaps, 2703}"
udp_services="{7, ftp-data, ftp, ssh, smtp, 43, domain, bootps, bootpc,
http, ntp, imap, https, submission, imaps, 1194, 3690, 6277, 24441, 4500,
500, 50, 51}"

# Name and IP of jails
webmail="10.0.0.15"
# Name and IP of jailed ssh servers
jssh1="10.0.0.15"
jssh2="10.0.0.16"
jssh3="10.0.0.17"
jssh4="10.0.0.18"
jssh1_tcp="2220"
jssh2_tcp="2221"
jssh3_tcp="2222"
jssh4_tcp="2223"
# The Asterisk Server
asterisk="10.0.0.17"
asterisk_tcp="5060:5061"
asterisk_udp="5060, 10000:10500"
# The vpn server
vpn="10.8.0.1"

# Options
# block-policy can be either drop or return
set block-policy drop
set optimization conservative
set skip on lo0

# Normalization
# normalize all incoming traffic. Set ttl 254: limits mapping of hosts
behind
# firewall. Set random-id to help same.
# Set mss to ATM network frame size for easy splitting upstream.
scrub on $ext_if all random-id min-ttl 254 max-mss 1452 reassemble tcp
fragment reassemble

# NAT
nat on $ext_if from $jailnet to any -> ($ext_if) static-port
nat on $ext_if from $vpnnet to any -> ($ext_if)

# Redirect any packets requesting ports 2220, 2221, 2222, or 2223 to jailed
ssh servers
# External redirect & reflect for internal hosts
# Note, the -> $ip port $port is only required for port triggering.
rdr on { $ext_if, $int_if } inet proto tcp to { ($ext_if), ($int_if) } port
{ $jssh1_tcp } tag jssh1 -> $jssh1
rdr on { $ext_if, $int_if } inet proto tcp to { ($ext_if), ($int_if) } port
{ $jssh2_tcp } tag jssh2 -> $jssh2
rdr on { $ext_if, $int_if } inet proto tcp to { ($ext_if), ($int_if) } port
{ $jssh3_tcp } tag jssh3 -> $jssh3
rdr on { $ext_if, $int_if } inet proto tcp to { ($ext_if), ($int_if) } port
{ $jssh4_tcp } tag jssh4 -> $jssh4

# Redirect traffic to the vpn server
# External redirect
rdr on { $ext_if, $int_if } inet proto { tcp, udp } to { ($ext_if),
($int_if) } port 1194 tag vpn -> $vpn

# Redirect traffic to the asterisk server
# SIP on UDP and tcp port 5060, tcp 5061 for secure signaling.
# RTSP ports 10000 to 10500
rdr on $ext_if inet proto udp to any port { $asterisk_udp } tag
asterisk_udp -> $asterisk
rdr on $ext_if inet proto tcp to any port { $asterisk_tcp } tag
asterisk_tcp -> $asterisk

# Tables
table <bruteforce> persist file "/etc/pf/bruteforce"
table <droplasso> persist file "/etc/pf/pf.drop.lasso.conf"
table <fail2ban> persist file "/etc/pf/fail2ban"
table <martians> persist file "/etc/pf/martians"
# The ZeuS blocklist of c&c servers
table <ZeuS> persist file "/etc/pf/ZeuS"
# The malwaredomain ip block list
table <malwaredomain> persist file "/etc/pf/malwaredomain"
# Table of selected country IP addresses
table <blocked_countries> persist file "/etc/pf/blocked_countries"
# Table of apache mod_evasive blocks
table <evasive> persist file "/etc/pf/evasive"

antispoof for { $ext_if, $int_if }

# Start by blocking by default
block all

# Block anything in the blocked_countries table first
block in quick from <blocked_countries>

# Block nmap scans
block in quick on $ext_if inet proto tcp from any to any flags FUP/FUP

# Explicitly block unroutable addresses
block drop in quick on $ext_if from <martians> to any
block drop out quick on $ext_if from any to <martians>

# Explicitly block anything in the bruteforce table
block in quick from <bruteforce>

# Explicitly block anything in the fail2ban table
block in quick from <fail2ban>

# Explicitly block anything in the droplasso table
block in quick from <droplasso>

# Explicitly block anything in the ZeuS table
block in quick from <ZeuS>

# Explicitly block anything in the malwaredomain table
block in quick from <malwaredomain>

# Block anything in the evasive table
block in quick from <evasive>

# allow ping and host unreach
pass inet proto icmp icmp-type $icmp_types keep state

# Traceroute
# allow out the default range for traceroute(8):
  # ”base+nhops*nqueries-1” (33434+64*3-1)
pass inet proto udp to port 33433:33626 # For IPv4

# Pass out only the desired ports from host and jails
pass inet proto tcp from {self, $jailnet, $vpnnet} to any port
$tcp_services $tcpstate
pass inet proto udp from {self, $jailnet, $vpnnet} to port $udp_services
$udpstate

 # Allow ssh connections in from the internet
pass in inet proto tcp from any to ($ext_if) port ssh \
flags S/SA keep state (max-src-conn 15, max-src-conn-rate 5/3, overload
<bruteforce> flush global)
# Pass in ssh traffic to the jails
# pass rules for nat redirect
pass in on $ext_if reply-to ( $ext_if $ext_gateway ) proto tcp tagged jssh1
jssh2 jssh3 jssh4 \
flags S/SA keep state (max-src-conn 15, max-src-conn-rate 5/3, overload
<bruteforce> flush global)
pass in on $int_if inet proto tcp tagged jssh1 jssh2 jssh3 jssh4 flags S/SA
keep state

# Pass traffic to the vpn
pass in on $ext_if reply-to ( $ext_if $ext_gateway ) proto { tcp, udp }
tagged vpn $udpstate
pass in on $int_if inet proto { tcp, udp } tagged vpn $udpstate
pass out on tun0 keep state
#pass quick on tun0 all keep state

# Pass in smtp, http, https, submission, imaps traffic from the internet
pass in inet proto tcp to $ext_if port { 25, 80, 443, 587, 993 } \
flags S/SA keep state (max-src-conn 15, max-src-conn-rate 5/3, overload
<bruteforce> flush global)

# pass traffic from the asterisk server
pass inet proto tcp tagged asterisk_tcp keep state
pass inet proto udp tagged asterisk_udp keep state

On Wed, Apr 19, 2017 at 11:06 AM, David Mehler <dave.meh...@gmail.com>
wrote:

> Hi,
>
> Thanks. Still no go on the vpn.In answer to your questions:
>
> > pass inet proto tcp from {self, $jailnet, $vpnnet} to any port
>
> > $tcp_services $tcpstate
>
> > pass inet proto udp from {self, $jailnet, $vpnnet} to port
>
> > $udp_services $udpstate
>
>
>
>
> I've got only a selected list of ports that I want in or out,
> everything else should be blocked.
>
> I tried commenting out the pass quick on tun0 all and replaced it with
> set skip on tun0 no joy.
>
> I took out the second nat line on the vpnnet as of now I'm wanting to
> keep the jailnet and the vpnnet ranges the same, though if this issue
> doesn't soon resolve I might change that idea.
>
>
> > pass in inet proto tcp to $jssh2 port 2221 flags S/SA keep state
> (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush
>
>
>
> global)
>
> > pass inet proto tcp to $jssh2 port 2221 flags S/SA keep state
>
>
> What I wanted to achieve with this was nat reflection, external
> connections to these hosts worked fine on the desired ports, but on
> the host itself if I tried to do an ssh to one of my jails port 2220
> it failed, these rules corrected that.
>
> Right now I'll settle for working.
>
> Thanks.
> Dave.
>
> On 4/19/17, Ultima <ultima1...@gmail.com> wrote:
> > After a full look, I suspect this being a problem entry.
> >
> >> # Pass out only the desired ports from host and jails
> >> pass inet proto tcp from {self, $jailnet, $vpnnet} to any port
> >> $tcp_services $tcpstate
> >> pass inet proto udp from {self, $jailnet, $vpnnet} to port
> >> $udp_services $udpstate
> >
> > Try commenting them and adding pass out all or pass inet proto { tcp,
> udp }
> > any and see if that works.
> >
> >
> >> pass quick on tun0 all keep state
> > This is another problem area, but probably not the cause. The quick is
> > probably not handled as you are expecting. Pf reads the filtering rules
> in
> > priority from bottom to top bottom being highest priority to top being
> > lowest priority. When quick is added, this is more or less reversed for
> the
> > rule and because its near the bottom it has a lower priority. In general
> > the "quick" directive can make pf very confusing and a ruleset harder to
> > read so other than the top blocking entires with quick, I suggest never
> > using it, or use it for all filters and make it simple the opposite way.
> >
> >
> >> jailnet = "10.0.0.0/8"
> >> vpnnet="10.8.0.0/8"
> > One thing I noticed is that the subnet chosen is an /8 subnet. Because of
> > this, the entire 10.* address space applies to jailnet making all
> jailnet +
> > vpnnet entries redundant. This also allows all addresses to communicate,
> at
> > least if pf isn't filtering them. Usually segmenting the subnet is
> desired
> > to limit communication between them.
> >
> >> pass quick on lo0 all
> > Why not just skip on lo0?
> >
> >
> >> pass in inet proto tcp to $jssh2 port 2221 flags S/SA keep state
> > (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush
> > global)
> >> pass inet proto tcp to $jssh2 port 2221 flags S/SA keep state
> > Why does this nearly duplicate rules exist?
> >
> >
> > Optimizing pf is fun, but one thing that is important to remember is the
> > more rules added, the more cycles used per packet. This is typically not
> > noticed on a small deployments but it can become huge issue if grown.
> >
> > On Tue, Apr 18, 2017 at 4:20 PM, David Mehler <dave.meh...@gmail.com>
> > wrote:
> >
> >> Hello Ultima,
> >>
> >> Thank you for your reply. Thanks for the information, I'm liking the
> >> new way the rules are looking. Unfortunately, still no go on the vpn.
> >> Everything else is working, just not the vpn.
> >>
> >> Thanks.
> >> Dave.
> >> PS, here's my rules as they stand now.
> >>
> >> pf.conf:
> >> #
> >> # Required order: macros, options, normalization, queueing,
> >> # translation, filtering.
> >> # Note: translation rules are first match while filter rules are last
> >> match.
> >>
> >> # Macros
> >> ext_if="vtnet0"
> >> int_if = "lo1"
> >> vpn_if = "tun0"
> >> jailnet = "10.0.0.0/8"
> >> vpnnet="10.8.0.0/8"
> >> icmp_types="{echoreq, unreach}"
> >> #IPV6 ICMP types:
> >> # packet to big and echo request type ping
> >> # Neighbor Discovery Protocol (NDP) (types 133-137):
> >> #   Router Solicitation (RS), Router Advertisement (RA)
> >> #   Neighbor Solicitation (NS), Neighbor Advertisement (NA)
> >> #   Route Redirection
> >> icmp6_types="{ 2, 128, 133, 134, 135, 136, 137 }"
> >> #synstate="flags S/SA synproxy state (max-src-conn 15,
> >> max-src-conn-rate 5/3, overload <bruteforce> flush global)"
> >> tcpstate ="flags S/SA modulate state"
> >> udpstate ="keep state"
> >> voipports = "{5060, 5061, 10000:10500}"
> >>
> >> # allowed traffic
> >> tcp_services="{7, ftp-data, ftp, ssh, smtp, 43, domain, bootps,
> >> bootpc, http, imap, https, submission, imaps, 2703}"
> >> udp_services="{7, ftp-data, ftp, ssh, smtp, 43, domain, bootps,
> >> bootpc, http, ntp, imap, https, submission, imaps, 3690, 6277, 24441,
> >> 4500, 500, 50, 51}"
> >>
> >> # Name and IP of jails
> >> webmail="10.0.0.15"
> >> # Name and IP of jailed ssh servers
> >> jssh1="10.0.0.15"
> >> jssh2="10.0.0.16"
> >> jssh3="10.0.0.17"
> >> jssh4="10.0.0.18"
> >> # The Asterisk Server
> >> asterisk="10.0.0.17"
> >> # The vpn server
> >> vpn="10.8.0.1"
> >>
> >> # Options
> >> # block-policy can be either drop or return
> >> set block-policy drop
> >> set optimization conservative
> >> set skip on tun0
> >>
> >> # Normalization
> >> # normalize all incoming traffic. Set ttl 254: limits mapping of hosts
> >> behind
> >> # firewall. Set random-id to help same.
> >> # Set mss to ATM network frame size for easy splitting upstream.
> >> scrub on $ext_if all random-id min-ttl 254 max-mss 1452 reassemble tcp
> >> fragment reassemble
> >>
> >> # NAT
> >> nat on $ext_if from $jailnet to any -> ($ext_if) static-port
> >> nat on $ext_if from $vpnnet to any -> ($ext_if) static-port
> >>
> >> # Redirect any packets requesting ports 2220, 2221, 2222, or 2223 to
> >> jailed ssh servers
> >> # External redirect
> >> rdr on $ext_if inet proto tcp to $ext_if port 2220 -> $jssh1 port 2220
> >> # reflect for internal hosts
> >> rdr on $int_if inet proto tcp to $int_if port 2220 -> $jssh1 port 2220
> >>
> >> # External redirect
> >> rdr on $ext_if inet proto tcp to $ext_if port 2221 -> $jssh2 port 2221
> >> # reflect for internal hosts
> >> rdr on $int_if inet proto tcp to $int_if port 2221 -> $jssh2 port 2221
> >>
> >> # External redirect
> >> rdr on $ext_if inet proto tcp to $ext_if port 2222 -> $jssh3 port 2222
> >> # reflect for internal hosts
> >> rdr on $int_if inet proto tcp to $int_if port 2222 -> $jssh3 port 2222
> >>
> >> # External redirect
> >> rdr on $ext_if inet proto tcp to $ext_if port 2223 -> $jssh4 port 2223
> >> # reflect for internal hosts
> >> rdr on $int_if inet proto tcp to $int_if port 2223 -> $jssh4 port 2223
> >>
> >> # Redirect traffic to the vpn server
> >> # External redirect
> >> rdr on $ext_if inet proto { tcp, udp } to $ext_if port 1194 -> $vpn port
> >> 1194
> >> #rdr on $ext_if inet proto tcp from any to $ext_if port 1194 -> $vpn
> port
> >> 1194
> >> # reflect for internal hosts
> >> rdr on $int_if inet proto { tcp, udp } to $int_if port 1194 -> $vpn port
> >> 1194
> >> #rdr on $int_if inet proto tcp from any to $int_if port 1194 -> $vpn
> port
> >> 1194
> >>
> >> # Redirect traffic to the asterisk server
> >> # SIP on UDP and tcp port 5060, tcp 5061 for secure signaling.
> >> rdr on $ext_if inet proto { tcp, udp } to $ext_if port 5060 ->
> >> $asterisk port 5060
> >> #rdr on $ext_if inet proto tcp from any to any port 5060 -> $asterisk
> >> port
> >> 5060
> >> rdr on $ext_if inet proto tcp to $ext_if port 5061 -> $asterisk port
> 5061
> >> # RTSP ports 10000 to 10500
> >> rdr on $ext_if inet proto udp to $ext_if port 10000:10500 -> $asterisk
> >> port 10000:10500
> >>
> >> # Tables
> >> table <bruteforce> persist file "/etc/pf/bruteforce"
> >> table <droplasso> persist file "/etc/pf/pf.drop.lasso.conf"
> >> table <fail2ban> persist file "/etc/pf/fail2ban"
> >> table <martians> persist file "/etc/pf/martians"
> >> # The ZeuS blocklist of c&c servers
> >> table <ZeuS> persist file "/etc/pf/ZeuS"
> >> # The malwaredomain ip block list
> >> table <malwaredomain> persist file "/etc/pf/malwaredomain"
> >> # Table of selected country IP addresses
> >> table <blocked_countries> persist file "/etc/pf/blocked_countries"
> >> # Table of apache mod_evasive blocks
> >> table <evasive> persist file "/etc/pf/evasive"
> >>
> >> # for the spamd greylist/blacklist service
> >> # (not related to spamassassin's spamd daemon)
> >> #table <spamd> persist
> >> #table <spamd-white> persist
> >>
> >> antispoof for $ext_if
> >> antispoof for $int_if
> >>
> >> # Start by blocking by default
> >> block all
> >>
> >> # Block anything in the blocked_countries table first
> >> block in quick from <blocked_countries>
> >>
> >> # Block nmap scans
> >> block in quick on $ext_if inet proto tcp from any to any flags FUP/FUP
> >>
> >> # Explicitly block unroutable addresses
> >> block drop in quick on $ext_if from <martians> to any
> >> block drop out quick on $ext_if from any to <martians>
> >>
> >> # Explicitly block anything in the bruteforce table
> >> block in quick from <bruteforce>
> >>
> >> # Explicitly block anything in the fail2ban table
> >> block in quick from <fail2ban>
> >>
> >> # Explicitly block anything in the droplasso table
> >> block in quick from <droplasso>
> >>
> >> # Explicitly block anything in the ZeuS table
> >> block in quick from <ZeuS>
> >>
> >> # Explicitly block anything in the malwaredomain table
> >> block in quick from <malwaredomain>
> >>
> >> # Block anything in the evasive table
> >> block in quick from <evasive>
> >>
> >> # pass everything on the loopback interface
> >> pass quick on lo0 all
> >>
> >> # allow ping and host unreach
> >> pass inet proto icmp icmp-type $icmp_types keep state
> >>
> >> # Traceroute
> >> # allow out the default range for traceroute(8):
> >>   # ”base+nhops*nqueries-1” (33434+64*3-1)
> >> pass inet proto udp to port 33433:33626 # For IPv4
> >>
> >> # Pass out only the desired ports from host and jails
> >> pass inet proto tcp from { self, $jailnet } to any port $tcp_services
> >> $tcpstate
> >> pass inet proto udp from { self, $jailnet } to port $udp_services
> >> $udpstate
> >>
> >>  # Allow ssh connections in from the internet
> >> pass in inet proto tcp to $ext_if port ssh flags S/SA keep state
> >> (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush
> >> global)
> >> # Pass in ssh traffic to the jails
> >> # pass rules for nat redirect
> >> pass in inet proto tcp to $jssh1 port 2220 flags S/SA keep state
> >> (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush
> >> global)
> >> pass inet proto tcp to $jssh1 port 2220 flags S/SA keep state
> >>
> >> pass in inet proto tcp to $jssh2 port 2221 flags S/SA keep state
> >> (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush
> >> global)
> >> pass inet proto tcp to $jssh2 port 2221 flags S/SA keep state
> >>
> >> pass in inet proto tcp to $jssh3 port 2222 flags S/SA keep state
> >> (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush
> >> global)
> >> pass inet proto tcp to $jssh3 port 2222 flags S/SA keep state
> >>
> >> pass in inet proto tcp to $jssh4 port 2223 flags S/SA keep state
> >> (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush
> >> global)
> >> pass inet proto tcp to $jssh4 port 2223 flags S/SA keep state
> >>
> >> # Pass traffic to the vpn
> >> pass in inet proto { tcp, udp } to $vpn port 1194 $udpstate
> >> #pass in inet proto tcp from any to $vpn port 1194 $udpstate
> >> pass inet proto { tcp, udp } to $vpn port 1194 $udpstate
> >> #pass inet proto tcp from any to $vpn port 1194 $udpstate
> >>
> >> # Pass in http traffic from the internet
> >> pass in inet proto tcp to $ext_if port 80 flags S/SA keep state
> >> (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush
> >> global)
> >>
> >> # Pass in https traffic from the internet
> >> pass in inet proto tcp to $ext_if port 443 flags S/SA keep state
> >> (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush
> >> global)
> >>
> >> # Pass in smtp traffic from the internet
> >> pass in inet proto tcp to $ext_if port 25 flags S/SA keep state
> >> (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush
> >> global)
> >>
> >> # Pass in submission traffic from the internet
> >> pass in inet proto tcp to $ext_if port 587 flags S/SA keep state
> >> (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush
> >> global)
> >>
> >> # Pass in imaps traffic from the internet
> >> pass in inet proto tcp to $ext_if port 993 flags S/SA keep state
> >> (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush
> >> global)
> >>
> >> # pass traffic from the asterisk server
> >> pass inet proto { tcp, udp } to $asterisk port $voipports keep state
> >>
> >>
> >> On 4/18/17, Ultima <ultima1...@gmail.com> wrote:
> >> > I didn't have time to read and look through this entire post, but I
> >> think I
> >> > know the issue you're running into and this suggestion should push you
> >> > in
> >> > the right direction.
> >> >
> >> > this rule for example,
> >> >
> >> > rdr on $ext_if inet proto udp from any to any port 1194 -> $vpn port
> >> > 1194
> >> > rdr on $ext_if inet proto tcp from any to any port 1194 -> $vpn port
> >> > 1194
> >> > # reflect for internal hosts
> >> > rdr on $int_if inet proto udp from any to any port 1194 -> $vpn port
> >> > 1194
> >> > rdr on $int_if inet proto tcp from any to any port 1194 -> $vpn port
> >> > 1194
> >> >
> >> > This is probably not giving you the results you desire. Basically
> >> > because
> >> > no from or to ip is specified ALL and I quite literally mean ALL
> >> > packets
> >> > using port 1194 are being sent to $vpn port 1194. Usually you want to
> >> make
> >> > it something like,
> >> >
> >> > rdr on $ext_if inet proto udp from any to $ext_ip port 1194 -> $vpn
> >> > port
> >> > 1194
> >> > rdr on $int_if inet proto udp from any to $int_ip port 1194 -> $vpn
> >> > port
> >> > 1194
> >> >
> >> > Now the traffic will be passed only when the packet is going to the
> >> > host,
> >> > not all traffic on a specific port. Another thing you may want to do
> is
> >> > combined many of these rules you have.
> >> >
> >> > rdr on $ext_if inet proto { tcp, udp } to $ext_ip port 1194 -> $vpn
> >> > port
> >> > 1194
> >> >
> >> > Also note the above, because we are specifying any for from, we can
> >> remove
> >> > the form rule entirely and make it shorter.
> >> >
> >> > Hope this helps
> >> >
> >> > Ultima
> >> >
> >>
> >
>
_______________________________________________
freebsd-pf@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"

Reply via email to