pfSense

See forum: http://forum.pfsense.org/index.php/topic,65886.0.html

If I add a rule on LAN to pass source all, destination all port 123 (NTP) then I get rules like this in /tmp/rules.debug:

pass in quick on $LAN1 inet proto tcp from any to <negate_networks> flags S/SA keep state label "NEGATE_ROUTE: Negate policy routing for destination"
pass in quick on $LAN1 $GWNTPGWG inet proto tcp from any to any port 123 flags S/SA keep state label "USER_RULE: Test NTP"
<negate_networks> has a correct list of the networks that are on/across OpenVPN.
The first rule here allows traffic for any port, when I think it should have "port 123" in it to restrict the pass to just port 123.
The "port" clause is generated in filter.inc filter_generate_address, along with the whole "destination" clause. So it is not necessarily trivial to extract the port clause right where the negate_networks rule is written. So I will leave it to Ermal (I suspect) to sort out what code solution he thinks is neatest.
Since this is a situation where the underlying pf rules can pass more traffic than the user intended, I have made this high priority for 2.1.