Convert all your block rules to use log, sniff on pflog0, with -e and -s 2048
That should tell you what rule is blocking the first few.
My hunch is that some kind of state is getting set up by the ICMP echo
replies, and thus future requests are being passed.
In any case, the no route to host
out on $int_if from any to $int_if:network keep state
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto {udp, icmp} all keep state
Everything goes fine, until any connection is lost and the ping command returns:
ping: wrote x.x.x.x 64 chars, ret=-1
ping: sendto
