So glad I could help!
Besides this, I think I would simplify the lines with inet and inet6 into single ones: for instance, turn
Code:
pass out quick on $ext_if inet all
pass out quick on $ext_if inet6 all
into
Code:
pass out quick on $ext_if all
and use
pfctl -vnf /etc/pf.conf
to check (without reloading
pf) if
pf would develop this single line into the same two inet and inet6 lines as the two rules did, before. This would make
/etc/pf.conf easier to read and to maintain.
http://www.openbsd.org/faq/pf/nat.html says (about this parameter)
The address family, either inet for IPv4 or inet6 for IPv6. PF is usually able to determine this parameter based on the source/destination address(es).
Even if this is the OpenBSD
pf FAQ, I think this part applies to FreeBSD
pf too. For instance, if I try to put "inet6" in a rule to allow ssh for instance, I get an error:
Code:
[...]
set block-policy return
set skip on { lo0 lo1 }
/etc/pf.conf:52: rule expands to no valid combination
root@***:~ #
And putting "inet" instead of "inet6" does not produce any error, the rule is expanded the same way as when there's no "inet" keyword in it. So
pf seems to "know" that ssh port rules only rely to inet family, not to inet6.
So I think most of the time, it's not necessary to add an inet or inet6 keyword. There must be cases when it's necessary but I don't know which ones.
On this forum I have been well advised to read "the book of pf" so I would advise it to you too. The only translated version I could find was a bit old, but covered OpenBSD 4.6
pf (so 4.5 too), and was enough for my needs. (In french, it's: "Le livre de packet filter").