In the spirit of K.I.S.S. I use: pass quick proto carp
Since that should match the number on 4 and 6 packets. > Your block rule had "inet" so you were probably blocking IPv4 only. But > because of the send errors (due to pf blocking) fw1 started to demote > itself.
