View Single Post
Old 13th September 2017
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

The "pass" rule is not the last that would apply. Unless you use quick, the last matching rule wins, which may be:
Code:
pass out on $ext_if proto {tcp, udp} all keep state
The best way to diagnose a PF rule set is by adding the log option to pass/block/match rules, then using tcpdump(8) with pflog(4).
Reply With Quote