The antispoof directive will expand to two block rules with IP address of the interface, so I would think that with a dynamic IP, the interface should be surrounded in parentheses like this:
antispoof for (wi0) But this seems to be wrong, as I have not read any guide or FAQ that does this, e.g. the "Building a router" guide found at https://www.openbsd.org/faq/pf/example1.html#pf In the gateway configuration, egress group is surrounded with parentheses in multiple places, but not with antispoof: antispoof quick for { egress $wired $wifi } Why should this not be antispoof quick for { (egress) $wired $wifi } or antispoof quick for { (egress:0) $wired $wifi } Another thing I was wondering about while reading the manpage for pf.conf: === The simplest mechanism to block everything by default and only pass packets that match explicit rules is specify a first filter rule of: block all === Is it not even simpler to just specify the filter rule as block without all, they seem to expand identical? Thanks. Mogens Jensen