When your configuration does not behave as expected, there may be an error in the rule set logic, so you need to find the error and correct it. Tracking down logic errors in your rule set can be time-consuming, and could involve manually evaluating your rule set, both as it is stored in the pf.conf file and the loaded version after macro expansions and any optimizations.

Users often initially blame PF for problems that turn out to be basic network problems. Network interfaces set to wrong duplex settings, bad netmasks, and faulty network hardware are common culprits.

Before diving into the rule set itself, you can easily determine whether the PF configuration is causing the problem. To do so, disable PF with pfctl -d to see ...