On 3/24/25 10:46, Vaughn A. Hart wrote:
I rarely see the self keyword used in pf.conf and I wondered why? I
experimented with it and want to get some feedback on if what I’m
thinking works or doesn’t.
quoting the pf.conf man page,
"self Expands to all addresses assigned to all interfaces."
Basically, it's a built-in macro, so all your self references will
expand to one rule per interface unless the ruleset parser finds a way
to optimize something away. And I just checked and for some reason the
pf.conf man page on FreeBSD and macOS does not have that explanation,
but that will be the way the code behaves anyway.
It can be quite instructive to use "pfctl -vnf /etc/pf.conf" (verbose
display, but not load the configuration in the specified file) to see
what your ruleset will look like when it is actually loaded.
I did not study your rules in much detail, but I noticed this: All the
specific block rules are already covered by your early "block in all",
so only add evaluation overhead. It is likely better, or at least it
makese for a more readable configuration if you do a "block" (which
would expand to "block drop all"), then selectively allow (pass) the
things you want to allow. Unless of course you want to vary the block
response (drop or return) by specific criteria.
All the best,
Peter
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
