Some tips
Start with a simple ruleset only allowing outgoing DNS. Test your ruleset by resolving names to IP addresses with
dig.
Then add outgoing www port 80 access and test browsing.
Replace your redundant block rules with
. Run tcpdump to view any logged blocked packets
Code:
# tcpdump -eni pflog0
Run another instance of tcpdump on the internal NIC and two others on your 2 external NICs.
You can run these tcpdumps from a workstation being ssh'ed-in to the firewall.
To prevent 'ssh' pollution of your tcpdump output , just add 'not port ssh' to the tcpdump command
Remember: 'Real Men debug their firewall with tcpdump'