pf: nat works, ip blocking and logging do not

David DeSimone fox at
Sun Feb 14 00:30:59 UTC 2010

Alex Teslik <whereisalext at> wrote:
> Unfortunately, I can still go to or with no
> blocking and no logging on /var/log/pflog.

Your outbound traffic first matches this rule:

> pass out all [keep state]

The [keep state] I added because it is implied; you would have to
explicitly add "no state" in order to avoid it, and you probably
actually do want state-tracking on most outbound connections.

This is important to your question, though, because if you open an
outbound connection to or, it will store a
state entry, and state entries are checked BEFORE any rule-checking, for
reply traffic coming back from those hosts.  So, these rules:

> block drop in log (all) quick on $ext_if from {, } to any
> block drop out log (all) quick on $ext_if from {, } to any

will never be checked, because they match the previously built state.

In order to prevent communications with these hosts, you must also add
"block out [quick]" rules which prevent you from initiating the
connection to them and thus building state entries.

David DeSimone == Network Admin == fox at
  "I don't like spinach, and I'm glad I don't, because if I
   liked it I'd eat it, and I just hate it." -- Clarence Darrow

