Dumb pf.conf question

Reply: Craig Leres : "Re: Dumb pf.conf question"
Reply: Chris : "Re: Dumb pf.conf question"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: George Mitchell <george+freebsd_at_m5p.com>
Date: Sat, 04 Jun 2022 20:05:52 UTC

Due to an execss (to put it politely) of packets originating from
IPv4-address-that-shall-not-be-mentioned, I decided to fix up my
pf.conf file, which in very general terms looks like this:

(a bunch of macro definitions: ext_if = external interface,
  int_if = internal interface, internal_ipv6 = 2001:xxxx:yyyy:zzzz::/120,
  internal_net = 10.0.0.0/8)
(a couple of table definitions)
(no options, traffic normalization, or queueing)

scrub in all
nat on $ext_if from $internal_net to any -> ($ext_if)

(a bunch of rdr statements, none of which contain "quick")

block all
pass quick on lo0
pass quick on $int_if

pass quick from $internal_ipv6
pass quick to $internal_ipv6

#nuisance ssh logins
block quick on $ext_if from (nasty address)

(lots more packet filtering rules that work)

But that next-to-last line is not stopping packets from nasty address.
What did I do wrong?