Ок! вижу читать надо группой и вслух (для особо глухих/слепых/немых)...
итак
>man 5 pf.conf->
STATEMENT ORDER
There are seven types of statements in pf.conf:
Macros
User-defined variables may be defined and used later, simplifying
the configuration file. Macros must be defined before they are
referenced in pf.conf.
Tables
Tables provide a mechanism for increasing the performance and flex-
ibility of rules with large numbers of source or destination ad-
dresses.
Options
Options tune the behaviour of the packet filtering engine.
Traffic Normalization (e.g. scrub)
Traffic normalization protects internal machines against inconsis-
tencies in Internet protocols and implementations.
Queueing
Queueing provides rule-based bandwidth control.
Translation (Various forms of NAT)
Translation rules specify how addresses are to be mapped or redi-
rected to other addresses.
Packet Filtering
Stateful and stateless packet filtering provides rule-based block-
ing or passing of packets.
With the exception of macros and tables, the types of statements should
be grouped and appear in pf.conf in the order shown above, as this match-
es the operation of the underlying packet filtering engine. By default
pfctl(8) enforces this order (see set require-order below).
->
видим, что нас отсылают смотреть ниже set require-order, если нас вдруг не устраивает нормальный ход вещей....
->
set require-order
By default pfctl(8) enforces an ordering of the statement types in
the ruleset to: options, normalization, queueing, translation,
filtering. Setting this option to no disables this enforcement.
There may be non-trivial and non-obvious implications to an out of
order ruleset. Consider carefully before disabling the order en-
forcement.
->
обращаем внимание на вполне разумное предостережение "...non-trivial and non-obvious...",
и если после этого мы еще всетаки очень хотим этого, то как говорится в каком-то посте ниже "...включаем фантазию...", попутно полезно перечитать ман на предмет quick anchor skip on in|out etc., и вперед за фантазией....
