Metode de filtrare PF

Sunt nou in PF si imi apar o gramada de situatii si inca nu prea inteleg de ce. Statia este un freebsd v7 pe care rulez pf + openvpn si niste rute spre un alt vpn.
Acesta este pf.conf-ul meu:

#Interfata Wan 8x.xx.xx.130/32
ext_if="rl0"
#set loginterface $ext_if
#Interfata Privata 10.124.175.26
int_if="fxp0"
#Interfata Publica 8x.x.x.121/29
pb_if="rl1"
#Reteaua locala (subnet) 10.124.175.0/24
lcnet= $int_if:network
#Reteaua publica (subnet) 8x.x.x.120/29
pbnet=$pb_if:network
#lo0 are voie oriunde
set skip on lo0
#IP POP
rnet="10.124.175.20"
#IP Vincze
vnet="10.124.175.45"
#Ftp-proxy
proxy="127.0.0.1"
#OpenVPN
vpn="tun0"
vpn_net=$vpn:network
#normalizare pachetelor
scrub in all
#ICMP
icmp_types="{echoreq, unreach}"

##############################
#Testare tables
table persist file "/etc/autotop"
###############################

#Regula de NAT (pt ip dinamic se pune ($ext_if))
nat on $ext_if from $lcnet to any -> $ext_if

#Remote fara vpn - just in case
#rdr on $ext_if proto tcp from any to port 3389 -> 10.124.175.20

#Regula FTP - bata-l pula de ftp protocol de cacat
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021
#rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
#nu lasa nimic sa treaca
block all

#Porturi Acceptate
tcp_wan = "{smtp, www, domain, pop3, https, pop3s, 10000, 5000 }"
tcp_services = "{ssh, www, smtp, domain, pop3, auth, https, pop3s, ftp, ftp-data }"
udp_services = "{ domain }"
#tcp_lan = "{ssh, domain, 3128}"

###############################################################################
###############################################################################
#Deocamdata pt ip public!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
#pass in on $pb_if proto tcp from $pbnet to any port $tcp_wan keep state
pass proto udp from any to any port $udp_services keep state
pass inet proto tcp from $pbnet to any port $tcp_services keep state
pass proto tcp from any to 8x.x.x.123 port $tcp_wan keep state
pass proto tcp from any to 8x.x.x.123 port 21 keep state
pass proto tcp from any to 8x.x.x.123 port > 32768 keep state #FTP

###############################################################################
###############################################################################
anchor "ftp-proxy/*"
#pass inet proto tcp from { lo0, $lcnet, $ext_if } to any port $tcp_services keep state
#pass inet proto icmp from { lo0, $lcnet, $ext_if, $pbnet } to any
pass quick proto tcp from { $vnet, $ext_if } to any keep state
pass quick proto udp from { $rnet, $ext_if } to any keep state
#########################################
#Test tables
pass log inet proto tcp from to any port $tcp_services keep state
#pass log inet from to any keep state

#Spre 2 vpn-uri
pass inet from $lcnet to 10.40.0.0/16 keep state
pass inet from $lcnet to 10.112.0.0/16 keep state

#########################################
#Regula pentru Traceroute
pass out on $ext_if inet proto udp from any to any port 33433 >< 33626 keep state
#regula FTP
pass out proto tcp from $proxy to any port 21 keep state
#Regula ICMP
pass in on $ext_if proto udp from any to port 1194 keep state
#pass in on $ext_if proto tcp from any to port 3389 keep state
pass inet proto icmp from any to any icmp-type $icmp_types keep state
#Openvpn - la liber
pass quick on tun0
#Remote dektop
pass on $int_if from any to $lcnet keep state

Ce nu inteleg de nici o culoare este ca oricum am dat reguliile de pe openvpn nu ma pot conecta pe sistemele din lan de pe 10.124.175.0/24 nu mai cu regula pass on $int_if from any to $lcnet keep state

am incercat:

pass on $int_if from $vpn_net to $lcnet keep state
pass on $vpn_net from $lcnet to $vpn_net keep state
sau cu pass on quick ... ideea este ca functioneaza numa cu from any ... poate careva sa-mi explice unde dau cu batul in balta?

Si a doua intrebare:
cum se poate face ca o adresa sa pot sa o pun cu !ip si sa ii dea drop si la una sa mearga?
daca am pus pass on interface { ip_allow, !ip_deny } - mandoua trec fara nici o problema ... din unele pcte de vedere pare super pf-ul, dar la unele reguli sincer nu are nici o logica...

Am citit si documentatia de pe openbsd si "the books of pf" si tot am nelamuriri la intrebarile de mai sus.

Si o alta intrebare: daca dau voie pt fpt pe porturi de la 33000 in sus, daca nimic nu asculta pe portul respectiv, poate sa fie atact un port pe care nu exista nici un serviciu care asculta?