<snip>
> # pass rules
> block in
> pass out keep state
> pass in inet proto icmp all icmp-type $icmp_types keep state
> pass in quick on $int_if
> pass in on $ext_if inet proto tcp from any to ($ext_if) \
> port $tcp_services flags S/SA keep state
> pass in on $ext_if inet proto tcp from any to $webserver port $webports \
> flags S/SA synproxy state
> pass on $carpdevs proto carp keep state
> pass quick on $ext_if proto carp \
> from $ext_if:network to $carp_mcast keep state
> pass on $syncdev proto pfsync
> pass in on $int_if from $ssh_allowed to self keep state (no-sync)
> antispoof quick for { lo $int_if }
<snip>
you've blocked in and then explicitly passed traffic only to $ext_if.
-B
