View Single Post
  #4   (View Single Post)  
Old 6th August 2012
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

I will hazard a guess that it is the use of match that is the problem. From pf.conf(5):
Code:
     match
           The packet is matched.  This mechanism is used to provide fine
           grained filtering without altering the block/pass state of a
           packet.  match rules differ from block and pass rules in that
           parameters are set every time a packet matches the rule, not only
           on the last matching rule.  For the following parameters, this
           means that the parameter effectively becomes ``sticky'' until
           explicitly overridden: nat-to, binat-to, rdr-to, queue, rtable, and
           scrub.
It is on pass where you can apply last-matching-rule-wins.
Reply With Quote