This host is a firewall doing NAT for $our_hosts_ext. It allows certain traffic from (a) our local network, $ourlocal and (b) partner networks, $networks_friendly.
The intention here was to default-deny all traffic addressed to $our_hosts_ext and this host itself; I wrote separate rules for those so that I could test and log them separately, and so that I could keep the rulesets for "hosts" and "the firewall" separate in the config file. The problem is that I'm logging ssh attempts (on the firewall itself) which are getting through, and are not from $ourlocal or $networks-friendly. Clearly I've made a mistake. I'd appreciate it if someone could tell me where. Thanks. my_outside_interface = "{ eth1 }" my_inside_interface = "{ eth0 }" our_hosts_ext = "{" $host1_ext $host2_ext $host3_ext "}" my_outside_ip = "{ 1.2.3.4 }" table <networks-friendly> persist file "/etc/pf/pf.friendly" table <ourlocal> persist { 1.2.3.0/24 } # block all to our hosts block in log on $my_outside_interface from any to $our_hosts_ext # block all to me block in log on $my_outside_interface from any to $my_outside_ip # allow ssh pass in log on $my_outside_interface proto tcp from <ourlocal> to $my_outside_ip port ssh pass in log on $my_outside_interface proto tcp from <networks-friendly> to $my_outside_ip port ssh