On 2010-06-14, william dunand <william.dunand@gmail.com> wrote:
quoted text
> Well this rule-set's purpose is just to illustrate the "problem".

Ah, for that we can go simpler:

pass log
match

Now you would expect any outgoing traffic to be logged. It isn't.
I've sent a PR for this so it's not lost - it will probably be
kernel/6401.

You don't need it for your requirements though:

quoted text
> ### Ext outbound ###
> match out on $ext_if from any to any queue (q_low, q_max)
> ... bunch of pass out on $ext_if from something to something ...

add "block out log on $ext_if proto tcp to port 25" here

quoted text
> pass out on $ext_if proto tcp from {A, B} to any port 25
> match out on $ext_if from $somewhere to any nat-to $something

move this nat-to rule above the pass rule/s that it needs to apply
to.

in general (excepting the bug demonstrated above), match rules
don't affect preceding rules.