On 2015-10-26, Giancarlo Razzolini <grazzol...@gmail.com> wrote:
> I suggest you move your match rules to the beginning of the ruleset and
> use log on them. So you can watch your pflog interface and see the
> packets being triggered. Also, you can (should) always use tags. Not
> only they make your ruleset "debugable", but any stray packet should hit
> a block rule (possibly logging it). I suspect your first three rules
> aren't matching because you're using the external interface. Try using
> the internal on them.
Also: have the first "action" rule block everything ("block log" probably).
Then you can be sure that all packets match one of your rules (and don't get
accepted by the implicit default 'pass flags any no state' rule).
