Convert all your block rules to use "log", sniff on pflog0, with -e and -s 2048
That should tell you what rule is blocking the first few. My hunch is that some kind of state is getting set up by the ICMP echo replies, and thus future requests are being passed. In any case, the "no route to host" suggests that it is pf that is blocking it. -- Security Guru for Hire http://www.lightconsulting.com/~travis/ -><- GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484
