Thx a lot for replying. Hmm, I'm a bit lost now ... Why do I have to move the anchor "before" the block statement?
Actually (without moving) the anchor authpf works well and no traffic is blocked. Having a look here: http://www.openbsd.org/faq/pf/authpf.html the anchor is at the bottom too, of the pf.conf file. Coming back to my pf.conf. I have "block log (all) all" and at the end of the file I have "anchor emule". As far as I understood the rules are checked from top to bottom and last match wins. (Assuming the emule anchor is loaded) Traffic comes in on port 4662 at the pppoe0 interface: 1) it MATCHES "block log (all) all" 2) it checks the other rules ... NO MATCH ... 3) finally comes to the loaded "anchor emule" that has the following rule pass in quick on $ext_if inet proto tcp from any to ($ext_if) \ port $InMuleTCP flags S/SA keep state label eMuleTCP 4) the rule from the anchor is the LAST MATCHED rule and traffic (port4662) should pass through ... Hmm ... am I completely wrong and did I misunderstand how pf works? Here is snip from the pf manual: "For each packet processed by the packet filter, the filter rules are evaluated in sequential order, from first to last. The last matching rule decides what action is taken." thx a lot didier >This rdr-anchor is ok >> #pass quick all >> block quick from <hostile> >> block quick inet6 all >but here you are blocking the emule traffic You should put here this: > anchor emule > anchor "authpf/*" >and not below [demime 1.01d removed an attachment of type APPLICATION/DEFANGED which had a name of didier.wiroth.3955DEFANGED-vcf]
