Hello. Actually, I'm using FreeBSD but to my understanding pf came from OpenBSD so I'm reporting my bug here.
The problem is that "block return" rules do not send packets using the same interface the packet originally came from but use normal kernel routng to send the RST packet. Nor there is ability to route these packets manually by some additional pf rules. We have two ISPs - one on fxp0 (1.1.1.1) second on fxp1 (2.2.2.2). First ISP's router is our default gateway. As result when packet comes from the second ISP and gets blocked, TCP RST packet goes to the first ISP router. And ISP router discards the packet because neither source nor destination address is within the provider network (provider considers it a spoofing). As result, return-rst just do not work at all. I believe there should be an option to return RST/icmp packets using the same interface original packet came from. Regards, Dmitry Andrianov
