I was trying to block HTTP access of one of my users, I have a SQUID Cache server/Gateway in my network bottleneck and I just use one of Ethernet ports of that server just for catching HTTP connections and cache contents, I also installed a PF as Firewall. As you may know with PF is very easy to block any kind of access inbound or outbound, I used following command to not to let my user be able to initiate HTTP requests by editting /etc/pf.conf:
block in on bge0 proto tcp from 10.0.0.1 to any port 80
But I experienced a strange thing, the client was able to use HTTP, I also checked my SQIUID, all user queries were passing through SQUID proxy, the reason was because PF redirects packets before any kind of filtering!
IMPORTANT: PF redirects packets before any kind of filtering
So then, I edited /etc/pf.conf like this:
table { 10.0.0.0/8, !10.0.0.1 }
.
.
.
rdr on bge0 proto tcp from to any port 80 -> 127.0.0.1 port 3128
.
.
.
block in on bge0 proto tcp from 10.0.0.1 to any port 80
after configuration following commands reload the new configuration:
$pfctl -d -k localhost
$pfctl -e -f /etc/pf.conf
Now my user with a static 10.0.0.1 is not able to use HTTP, that was only a test! nobody want to limit HTTP access for a user!