eric wrote:
On Sun, 2005-12-04 at 11:39:01 -0800, Rodney Hopkins proclaimed...
I was looking at the pf.conf included with 3.8, and with the
addition of the following line:
set skip on { lo }
doesn't the lo part of the following line become redundant:
antispoof quick for { lo $int_if }
It becomes irrelevant; after "set skip," nothing else will be evaluated for
that interface.
No, look at what antispoof expands to:
block drop in on ! lo inet from 127.0.0.1/8 to any
block drop in on ! lo inet6 from ::1 to any
That means "antispoof for lo" filters on all but the lo interface group.
The skipping on lo takes care of the "Caveat:" outlined in the man page,
though... it replaces the previously recommended "pass quick on lo" rule.
Moritz
