The ruleset allows out requests to your blacklisted IP addresses, but block
the incoming replies.
Try this (untested) version which does not allow outgoing requests to your blacklist.
Code:
# Defines - NIC for external/internal network routes and other addresses
nic_ext = "fxp0"
nic_int = "lo1"
myaddr = "192.168.134.2"
mysub = "192.168.134.0/24"
myweb = "192.168.134.250"
# Hard-Coded blocks
# Do not block: 208.100.20.98 - proxyscan.rizon.net
# 66.102.9.0/24 - google.com subnet, mostly for ad-blocking
# 63.88.212.91 - webtrends
table <blacklist> {
208.201.239.101
222.208.183.218
125.230.150.249
66.102.9.0/24
63.88.212.91
}
# Allow everything through the secondary (Firewall->Switch) interface
# and the loopback interface
set skip on { $nic_int lo0 }
# --- NAT rule
#nat on $nic_ext from !($nic_ext) to any -> ($nic_ext)
# --- Default policy
block log all
# -- External interface
antispoof quick for $nic_ext
# Allow outbound traffic from internal network
pass out quick on $nic_ext inet proto tcp from $mysub to !<blacklist> port != ssh
pass out quick on $nic_ext inet proto udp from $mysub to !<blacklist>
# Allow inbound port 8080 traffic to the webserver only
pass in quick on $nic_ext inet proto tcp from any to $myweb port 8080
You can see I elminated your DNS rule. If you pass out all UDP traffic you already allow DNS on port 53
If this doesn't work as expected, you can visualize which packets are being blocked with running tcpdump on the pflog0 interface.
Code:
# tcpdump -eni pflog0
BTW why doesn't your internal interface re1 have any IPv4 address? And what is that bridge0 interface supposed to do?