The problem described below only affects -current systems updated within a recent, narrow time frame. 3.4-stable, 3.4-release and earlier are NOT affected in any way.
A bug was introduced in pfctl with pfctl_parser.c CVS revision 1.188 and has been fixed with revision 1.189. 1.188 (bug) commited Thu Jan 22 13:32:00 2004 UTC 1.189 (fix) commited Sun Jan 25 18:47:15 2004 UTC pfctl built from the affected source revision loads rules with incorrect address masks, yet pfctl -sr shows seemingly correct rules. Rule evaluation will have unexpected results, rules containing specific addresses match any address. For instance pass in on $ext_if from 62.65.145.30 to any port ssh keep state might match any source address, not just 62.65.145.30. Depending on whether this is used in pass or block rules, pf will pass connections which should be blocked or block connections which should be passed according to the filter policy. If you are using -current pf, please make sure you are not using pfctl built from pfctl_parser.c 1.188, for instance with $ head -n 1 /usr/src/sbin/pfctl/pfctl_parser.c If this shows 1.188, you can fix the problem by updating the file to -current and rebuilding pfctl (a rebuild of the kernel or other userland parts is not needed). I'm not sure whether the previous snapshots contained this, but there are new fixed snapshots already, in case you're not building from source. Daniel