I was trying to block HTTP access of one of my users, I have a SQUID Cache server/Gateway in my network bottleneck and I just use one of Ethernet ports of that server just for catching HTTP connections and cache contents, I also installed a PF as Firewall. As you may know with PF is very easy to block any kind of access inbound or outbound, I used following command to not to let my user be able to initiate HTTP requests by editting /etc/pf.conf: block in on bge0 proto tcp from 10.0.0.1 to any port 80 But I experienced a strange thing, the client was able to use HTTP, I also checked my SQIUID, all user queries were passing through SQUID proxy, the reason was because PF redirects packets before any kind of filtering! IMPORTANT: PF redirects packets before any kind of filtering So then, I edited /etc/pf.conf like this: table { 10.0.0.0/8, !10.0.0.1 } . . . rdr on bge0 proto tcp from to...