From 38f09717abc2dedf2c46a39b16b4c0f878c615aa Mon Sep 17 00:00:00 2001
From: Timo Makinen <tmakinen@foo.sh>
Date: Sun, 22 Jun 2025 13:44:54 +0000
Subject: [PATCH] pf: Re-order rules for easier blocking

---
 roles/pf/templates/pf.conf.gw_dna.j2 | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/roles/pf/templates/pf.conf.gw_dna.j2 b/roles/pf/templates/pf.conf.gw_dna.j2
index e9627b1..bae9ee8 100644
--- a/roles/pf/templates/pf.conf.gw_dna.j2
+++ b/roles/pf/templates/pf.conf.gw_dna.j2
@@ -64,9 +64,6 @@ pass in quick proto tcp from any to self port https
 # block rest of packets coming to me
 block in quick from any to self
 
-# allow communication from internal to world
-pass in quick on $int_if from $int_net to !$int_net
-
 # allow myself to communicate outside (both routes)
 pass out quick on $ext_if from self to any
 pass out quick on $int_if from self to any
@@ -74,6 +71,9 @@ pass out quick on $int_if from self to any
 # allow traffic from outside
 pass out quick on $int_if from any to $int_net
 
+# allow communication from internal to world
+pass in quick on $int_if from $int_net to !$int_net
+
 # drop rest
 block in quick log all
 block out quick log all