If you
keep state on outgoing http traffic, the incoming traffic matches the state and thus will be automatically allowed in.
From
pf.conf(5):
Code:
By default pf(4) filters packets statefully: the first time a packet
matches a pass rule, a state entry is created. The packet filter
examines each packet to see if it matches an existing state. If it does,
the packet is passed without evaluation of any rules.
So you need to block the outgoing traffic with something like:
Code:
block drop out log (all) quick on $ext_if from any to <noface>