Hello folks, I'd like some help with the following rules on pf. I'm trying to block all https requests outgoing from my network and unblock just some IPs. The blocked IPs are allowed to access specifics sites that are placed in files with the domain names that I want to allow, the unblocked_ips and unblocked_sites files.
The pf rules: antispoof for bge0 antispoof for bge1 set block-policy drop set skip on lo it_ips="{ 192.168.255.35, 192.168.255.36, 192.168.255.20 }" tcp_services="{ 20 21 25 80 110 143 465 587 993 1020 3389 5223 5310 8017 8080 8081 22000 }" udp_services="{ domain ntp 5223 33433:33626 }" icmp_types="{ echorep, echoreq, unreach, squench, redir, timex }" table <networks> persist file "/etc/pf/networks" table <martians> persist file "/etc/pf/martians" table <unblocked_sites> persist file "/etc/pf/unblocked_sites" table <unblocked_ips> persist file "/etc/pf/unblocked_ips" match in all scrub (no-df random-id max-mss 1440) match out on egress inet from lan:network to any nat-to (egress:0) block return in on ! lo0 proto tcp to port 6000:6010 block in quick on egress from <martians> to any block return out quick on egress from any to <martians> block on egress all anchor "ftp-proxy/*" pass in quick on lan inet proto tcp to port 80 divert-to 192.168.255.254 port 3129 pass in quick on lan inet proto tcp to port ftp divert-to 127.0.0.1 port 8021 pass in quick on lan inet proto tcp from $it_ips to lan:0 port 22 pass quick on lan inet proto icmp icmp-type $icmp_types pass on lan all pass out quick on egress inet proto tcp from <unblocked_ips> to port https pass out quick on egress inet proto tcp from !<unblocked_ips> to <unblocked_sites> port https pass out quick on egress inet proto icmp icmp-type $icmp_types pass out on egress inet proto tcp to port $tcp_services pass out on egress inet proto udp to port $udp_services With these rules applied all IPs, even those that are supposed to be unblocked, are being blocked. I'll appreciate any help.