With PF, because it is "last matching rule wins," I find it easiest to start with the most general rule first, then work my way to more specific rules.
If I've understood your use case correctly, something like this:
Code:
block in all
pass in proto tcp to (msk0) port {80 443}
- With TCP and UDP, every packet has two port numbers: a destination port number where a service is listening, and that's what we always think of when we think of ports -- but there is also a source port number used by the initiating system.
- In PF, you can filter on either port number.
- Destination port numbers follow the destination IP address, which follows after "to".
- There is an implied "from any port any" in front of the "to" in this second rule. And "port any" isn't correct syntax, but if you don't specify a source port then any source port will match.