Hello mike You are blocking trafic after matching nat rule. Because you don't use quick keyword, your PF match the first rule, and next the second and next the third and to do third.
In your firewall configuration you block nothing and you nat nothing. Better way is to write this: set skip on lo block in log pass out pass in quick on tun0 from 10.8.0.0/24 to any nat-to 37.x.x.x This allow outgoing traffic and incoming trafic from tun0 (+nat). Because PF is stateful, you don't have to allow return traffic from tun0 nated clients. If you want to allow some more incoming traffic, add new rules after the previous rules. -- Best regards, Loïc BLOT, UNIX systems, security and network expert http://www.unix-experience.fr Le vendredi 28 juin 2013 à 23:50 -0500, Mike Parker a écrit : > pf.conf > set skip on lo > pass in on tun0 from 10.8.0.0/24 to any nat-to 37.x.x.x > block log > pass > block in on ! lo0 proto tcp to port 6000:6010 [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
