Hi,

I'm having no luck at all in creating a shitlist of websites I want to block
children's access to. I've created a macro containing the 'offending' IPs
and written what I thought was a reasonable rule to bin the replies.

Ideally I'd like it to work in such away that if one of the listed sites
were to be accessed they would be redirected to an internal web page
explaining why they can't get access. But I can work on that once I get the
blocking to work. (But any pointers would be appreciated :-).)

However, even after pfctl -F all -f /etc/pf.conf

I can still access the site. It's obvious that I'm an OpenBSD novice but
this really is getting to me can anyone please point me in the right
direction? Below is the pf.conf as it currently stands (based on the
example from the OpenBSD.org site.

# marcos
int_if = "le1"
ext_if = "le0"

tcp_services = "{22}" # TODO: Add rdir to server

shitlist = "{ xxx.xxx.xxx.xxx, xx.xxx.xxx.xxx }" # Real IPs removed!
priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"

set block-policy return
set loginterface $ext_if

scrub in all

# Nat / ReDir
nat on $ext_if from $int_if:network to any -> ($ext_if)

# Filters

block all

# Local Interface
pass quick on lo0 all

# Enable AntiSpoof on Internal IF
antispoof quick for $int_if

# RFC1918 Addresses
block drop in quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets

# This is the line that does not work!
block out on $ext_if from any to $shitlist

pass in on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state

pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state

# End of File

--
Thanks

William.