Daniel Hartmeier [EMAIL PROTECTED] wrote that my use of tagging should work. So I moved the tagging rules to the very top of my rule set and did a traceroute from a different machine . This is the result
# pfctl -vvvsr @0 scrub in all fragment reassemble [ Evaluations: 121941 Packets: 63360 Bytes: 0 States: 0 ] @0 block drop log all [ Evaluations: 4171 Packets: 10 Bytes: 468 States: 0 ] @1 block drop log quick inet6 all [ Evaluations: 4171 Packets: 0 Bytes: 0 States: 0 ] @2 block drop in inet proto icmp all icmp-type echoreq tag icmp [ Evaluations: 4171 Packets: 0 Bytes: 0 States: 0 ] @3 pass in quick from <MailUsers:4> to any keep state tagged icmp [ Evaluations: 3533 Packets: 0 Bytes: 0 States: 0 ] @4 pass in quick on ste0 from any to <ICMP_ok:2> keep state tagged icmp [ Evaluations: 3533 Packets: 0 Bytes: 0 States: 0 ] @5 pass in quick on fxp0 all keep state tagged icmp [ Evaluations: 3533 Packets: 71 Bytes: 6016 States: 1 ] @6 pass in quick on ste1 all keep state tagged icmp [ Evaluations: 3532 Packets: 0 Bytes: 0 States: 0 ] @7 pass in quick on ste2 all keep state tagged icmp [ Evaluations: 3532 Packets: 0 Bytes: 0 States: 0 ] @8 pass out quick all keep state tagged icmp [ Evaluations: 4171 Packets: 0 Bytes: 0 States: 0 ] @9 pass out quick inet proto icmp all icmp-type echoreq keep state [ Evaluations: 639 Packets: 65 Bytes: 5572 States: 1 ] I don't understand why rule 8 was not used. (There are other rules after 9 which I didn't not include, but I do not believe that the could effect this example.)
