I was trying out the interface groups of pf 3.8, I was surprised to
get a syntax error with:
pass out quick proto { tcp udp }
from egress to any port domain flags S/SA keep state
you do not get an error message for
pass out quick proto { tcp udp }
from (egress) to any port domain flags S/SA keep state
Also as a result of this experimentation. I discover that syntactically
you
can say:
antispoof $dbg quick for self
or
pass out quick on self proto { tcp udp }
from (egress) to any port domain flags S/SA keep state
which seems to use "self" in these case as an undefined interface
group, I would have expected that "self" would have been implemented
a interface group of all the interfaces on the computer.
pf is very unhappy if you use:
set loginterface egress
After this statement I could not get pf to work again unless I rebooted.
also it is not obvious to me what happens when you use:
antispoof quick for Inside
where "Inside" is an interface group containing several interfaces. I
expect
that antispoof only works as a group, rather than on each interface
individually
