Hello,
I've got a pf ruleset that is working fine outbound, i'm blocking on all
interfaces and only allowing specific traffic through. The problem is
external requests are not getting through to the lan server which houses the
web server. Syntactically these rules look fine.
One thing that may or not be related when i uncomment the outbound block
rule for private blocks traffic does not go out.
Any ideas?
Thanks.

# pf.conf
# for use on gateway box

# Required order: options, normalization, queueing, translation, filtering.
# Macros and tables may be defined and used anywhere.
# Note that translation rules are first match while filter rules are last
match.

# define the two interface macros
EXT = "ep0"
LAN = "ed1"

# define some address macros
LAN_FIREWALL = "192.168.1.254"
LAN_CLIENTS = "192.168.1.0/24"
LAN_ADMIN = "192.168.1.0/24"
LAN_SERVER = "192.168.1.3"

# define some non-routeable addresses used in spoof attacks originating from
the internet
PRIVATE_BLOCKS = "{
127.0.0.0/8
192.168.0.0/16
172.16.0.0/12
10.0.0.0/8
!10.40.224.1
}"

# define some service macros
LAN_TO_INT_SERVICES = "{ ftp-data, ftp, cvsup, ssh, smtp, domain, http,
pop3, nntp, imap, https, imaps, pop3s, 1790, 1791, 1792, 1793, 1794, 1795,
cvsup, 6667, 8000, 8080, 8880 }"
INT_TO_LAN_SERVICES = "{ ssh, smtp, www, pop3, https, pop3s, 1723, 8000 }"
LAN_TO_FW_SERVICES = "{ ssh }"
FW_to_LAN_services = "{ ssh }"

# options
set optimization normal
set block-policy drop
set require-order yes
set fingerprints "/etc/pf.os"

# normalize packets to prevent fragmentation attacks
scrub on $EXT reassemble tcp random-id

# translate lan client addresses to that of EXT
nat on $EXT from $LAN_CLIENTS to any -> ($EXT)

# redirections
rdr on $EXT proto tcp from !65.99.185.20/32 to any port 22 -> $LAN_SERVER
port 22
rdr on $EXT proto tcp from any to any port 25 -> $LAN_SERVER port 25
rdr on $EXT proto tcp from any to any port 80 -> $LAN_SERVER port 80
rdr on $EXT inet proto tcp from any os "Windows" to any port 25 -> 127.0.0.1
port 8025
# redirect lan client active FTP requests (to an FTP server's control port
21)
# to the ftp-proxy running on the firewall host (via inetd on port 8081)
rdr on $LAN proto tcp from any to any port 21 -> 127.0.0.1 port 8021

# deny by default
block all

# pass loopback traffic
pass quick on lo0 all

# block windows email relays
block in quick on $EXT inet proto tcp from any os "Windows" to any port 25

# immediately prevent IPv6 traffic from entering or leaving all interfaces
block quick inet6 all

# silently block and drop broadcast cable modem noise
block in quick on $EXT from any to 255.255.255.255

# Block bad tcp flags from malicious people and nmap scansN
block in quick on $EXT proto tcp from any to any flags /S
block in quick on $EXT proto tcp from any to any flags /SFRA
block in quick on $EXT proto tcp from any to any flags /SFRAU
block in quick on $EXT proto tcp from any to any flags A/A
block in quick on $EXT proto tcp from any to any flags F/SFRA
block in quick on $EXT proto tcp from any to any flags U/SFRAU
block in quick on $EXT proto tcp from any to any flags SF/SF
block in quick on $EXT proto tcp from any to any flags SF/SFRA
block in quick on $EXT proto tcp from any to any flags SR/SR
block in quick on $EXT proto tcp from any to any flags FUP/FUP
block in quick on $EXT proto tcp from any to any flags FUP/SFRAUPEW
block in quick on $EXT proto tcp from any to any flags SFRAU/SFRAU
block in quick on $EXT proto tcp from any to any flags SFRAUP/SFRAUP
block in quick on $EXT proto tcp all flags FUP/FUP

# immediately prevent packets with invalid addresses from entering or
exiting EXT (anti-spoofing measure)
block drop in quick on $EXT inet from $PRIVATE_BLOCKS to any
#block drop out quick on $EXT inet from any to $PRIVATE_BLOCKS

# prevent lan originated spoofing from occurring
antispoof for $EXT inet

# preventing invalid internet UDP and TCP requests from timing out
block return in on $EXT proto { udp, tcp } all

# allow internet requests to enter EXT
# in order to contact our lan server (keep state on this connection
pass in on $EXT \
inet proto tcp \
from any to $LAN_SERVER \
port $INT_TO_LAN_SERVICES \
flags S/SA \
synproxy state

# Allow remote FTP servers (on data port 20) to respond to the proxy's
# active FTP requests by contacting it on the port range specified in
inetd.conf
pass in on $EXT \
inet proto tcp \
from any port 20 \
to $EXT port 55000 >< 57000 \
user proxy \
flags S/SA keep state

# mpd
pass in on $EXT inet proto gre to $LAN_SERVER keep state
pass quick on ng0 all

# allow UDP requests to port 53 from firewall to exit EXT
# in order to contact internet nameservers (keep state on this connection)
pass out on $EXT \
inet proto udp \
from $EXT to any \
port 53 \
keep state

# Allow UDP requests to port 67/68 from firewall to exit EXT
# in order to contact internet dhcp servers (keep state on this connection)
pass out log on $EXT \
proto udp \
from $EXT to any \
port { 67, 68, 123 } \
keep state

# allow lan traffic from internet clients to exit EXT
# (after natting is performed) in order to contact internet web servers
# (keep state on this connection)
pass out on $EXT \
inet proto tcp \
from $EXT to any \
port $LAN_TO_INT_SERVICES \
flags S/SA keep state

# allow internet traffic contacting internal services out
# (keep state on this connection.)
pass out on $EXT \
inet proto tcp \
from $EXT to any \
port $INT_TO_LAN_SERVICES \
flags S/SA keep state

# allow ICMP requests from firewall to exit EXT (after natting is performed)
# in order to ping/traceroute internet hosts on the behalf of lan admin
pass out on $EXT \
inet proto icmp \
from $EXT to any \
icmp-type 8 \
keep state

# allow ftp active requests out
pass out on $EXT \
inet proto tcp \
from $EXT to any \
port 20 \
flags S/SA keep state

# allow firewall to contact ftp server on behalf of passive ftp client
# on control port 21
pass out on $EXT \
inet proto tcp \
from $EXT to any \
port 21 \
flags S/SA keep state

# allow firewall to contact ftp server on behalf of passive ftp client
# on standard unprivileged port range ( > 1024 )
pass out on $EXT \
inet proto tcp \
from $EXT to any \
port > 1024 \
flags S/SA keep state

# allow UDP requests to port 53 from lan clients to enter LAN
# in order to perform dns queries on the firewall (keep state on this
connection)
pass in on $LAN \
inet proto udp \
from $LAN_clients to $LAN_firewall \
port 53 \
keep state

# allow lan traffic from lan clients to enter lan
# in order to contact internet web servers (keep state on this connection)
pass in on $LAN \
inet proto tcp \
from $LAN_clients to any \
port $LAN_TO_INT_SERVICES \
flags S/SA keep state

# lan admin connects to firewall via ssh for administrative purposes
pass in on $LAN \
inet proto tcp \
from $LAN_admin to $LAN_firewall \
port $LAN_to_FW_services \
keep state

# allow requests from lan admin to enter LAN
# in order to ping/traceroute any system (firewall, dmz server, and internet
hosts)
pass in on $LAN \
inet proto icmp \
from $LAN_admin to any \
icmp-type 8 \
keep state

# allow internet requests to exit lan
# in order to contact our web server (keep state on this connection)
pass out on $LAN \
inet proto tcp \
from any to $LAN_server \
port $INT_TO_LAN_SERVICES \
flags S/SA synproxy state

# firewall connects to the lan server via scp/ssh for backup purposes
pass out on $LAN \
inet proto tcp \
from $LAN_firewall to $LAN_server \
port $FW_to_LAN_services \
keep state