> It likely tries to apply rules on an interface that doesn't exist yet (for example openvpn's tun). This issue can avoid by enclose iface's name into parentheses. Like this: pass in quick on tun0 inet proto tcp from any to (tun0) port ...