Pardon me for being dense here, but I must be missing something. If I want to add a tag to all packets coming from an IP address early in the pf.conf file and then block that packet later (after NAT) based on the tag instead of (the now modified) IP address, then there is a problem.
I added a rule early in the file that said pass in on $IntIf from 192.168.100.130 to any tag MYTAG then, later (after NAT) I tried to block any packet tagged MYTAG. The problem is that the sections in pf.conf have to be in order and filtering is last. I cannot have the above line high in the file. So how do I tag something before NAT runs (based on an internal IP address) and then block that tag later. Thanks, Jim
