As stated in
pf.conf(5) pf uses a last matching rule wins strategy :
Code:
For each packet processed by the packet filter, the filter rules are
evaluated in sequential order, from first to last. For block and pass,
the last matching rule decides what action is taken; if no rule matches
the packet, the default action is to pass the packet. For match, rules
are evaluated every time they match; the pass/block state of a packet
remains unchanged.
To circumvent this strategy you have to use
quick:
Code:
quick If a packet matches a rule which has the quick option set, this
rule is considered the last matching rule, and evaluation of
subsequent rules is skipped.
Code:
match
The packet is matched. This mechanism is used to provide fine
grained filtering without altering the block/pass state of a
packet. match rules differ from block and pass rules in that
parameters are set every time a packet matches the rule, not only
on the last matching rule. For the following parameters, this
means that the parameter effectively becomes ``sticky'' until
explicitly overridden:nat-to, binat-to, rdr-to, queue, rtable, and
scrub.
With this in mind, and because I don't quite understand what you are trying to accomplish, the following effort to re-organize and clean up the rule set may thus not work at all
:
Code:
DEBUG = log
# --- NAT
match out $DEBUG inet from ! $ext_if to any nat-to $ext_if
match out $DEBUG on $ext_if from $screen_pub_ip:0 to $localscreen nat-to $ext_if
pass in $DEBUG on $ext_if:0 proto { tcp, udp } to $screen_pub_ip port { 81 82 3306 3312 } nat-to $localscreen
pass out $DEBUG on $ext_if from $localscreen nat-to $screen_pub_ip
match out $DEBUG on $ext_if from $localscreen to any nat-to $screen_pub_ip
pass in $DEBUG on $ext_if from $screen_pub_ip:0 nat-to $localscreen
# --- BINAT
pass $DEBUG on $ext_if from $netfs to any binat-to $sync_pub_ip
pass $DEBUG on $ext_if from $localscreen to any binat-to $screen_pub_ip
# --- RDR
pass in $DEBUG on $ext_if proto { tcp, udp } from any to $sync_pub_ip port { 873 ftp ftp-data 22 21 } rdr-to $netfs
match in $DEBUG on $ext_if proto { tcp, udp } from any to $screen_pub_ip:0 port { 81 82 3306 3312 52530 } rdr-to $localscreen
# --- Block RFC 1918 non publicly routable addresses
block in $DEBUG quick on $ext_if from <rfc1918> to any
block out $DEBUG quick on $ext_if from <rfc1918> to any
# ==================================================================================
######## Allow ICMP ping ####Ping test to make sure we can get to host
pass in quick inet proto icmp from any to any icmp-type $icmp_types
### Note: it does work for $sync_pub_ip but not $screen_pub_ip ??? # <- THIS IS A CLUE!?!
# ==================================================================================
match in $DEBUG on $ext_if to $screen_pub_ip
-------------------------------------------------------------------------------
pass out $DEBUG on $ext_if from $int_if:network to any
# --- Default policy
block log all
# ---------------------------
You can see I defined a variable DEBUG that allows you to easily flip logging on or off.