Sorry for the SPAM. I commented out my block out rules and they look like they are working... with block in on self from <table>
Let me know if you know of something different. -Vaughn ----------------------------- Vaughn A. Hart [email protected] 646-284-4291 https://www.linkedin.com/in/vahart https://github.com/vaughnhart https://open.spotify.com/user/aojaa35704q6no3iqt4h6k8im?si=b8f2195781f64632 2Sam 14:14a We must all die; we are like water spilled on the ground, which cannot be gathered up again.“ Jesus said to her, “I am the resurrection and the life. Whoever believes in me, though he die, yet shall he live,” (John 11:25 ESV) On Mon, Mar 24, 2025 at 5:00 PM Vaughn A. Hart <[email protected]> wrote: > I stand corrected.... I have my block out log rule... to those tables.... > therefore I beg your help on the self keyword... with urgency. > > ----------------------------- > Vaughn A. Hart > [email protected] > 646-284-4291 > https://www.linkedin.com/in/vahart > https://github.com/vaughnhart > https://open.spotify.com/user/aojaa35704q6no3iqt4h6k8im?si=b8f2195781f64632 > 2Sam 14:14a We must all die; we are like water spilled on the ground, > which cannot be gathered up again.“ > Jesus said to her, “I am the resurrection and the life. Whoever believes > in me, though he die, yet shall he live,” (John 11:25 ESV) > > > On Mon, Mar 24, 2025 at 3:44 PM Vaughn A. Hart <[email protected]> wrote: > >> I think my rules work... >> >> Here are the attachments... >> >> -Vaughn >> >> ----------------------------- >> Vaughn A. Hart >> [email protected] >> 646-284-4291 >> https://www.linkedin.com/in/vahart >> https://github.com/vaughnhart >> >> https://open.spotify.com/user/aojaa35704q6no3iqt4h6k8im?si=b8f2195781f64632 >> 2Sam 14:14a We must all die; we are like water spilled on the ground, >> which cannot be gathered up again.“ >> Jesus said to her, “I am the resurrection and the life. Whoever believes >> in me, though he die, yet shall he live,” (John 11:25 ESV) >> >> >> On Mon, Mar 24, 2025 at 12:31 PM Vaughn A. Hart <[email protected]> >> wrote: >> >>> Stuart, >>> >>> Thank you for the response. I see the antispoof for self rules expand >>> when I run pfctl - s all. But I don’t see the block rules for the self >>> keyword do the same; which is why I emailed you. What I am attempting to do >>> I capture all the interfaces whether they are present at plugged in (say a >>> new docking connection or thunderbolt display) and block those addresses. I >>> was creating a table for int (en0-4) and utun but I felt it wouldn’t enable >>> filtering on newly plugged in device that’s given a new interface number. >>> So I tried to use self. >>> >>> Is there any way to have such a dynamic rule? >>> >>> -Vaughn >>> >>> >>> ----------------------------- >>> Vaughn A. Hart >>> [email protected] >>> 646-284-4291 >>> https://www.linkedin.com/in/vahart >>> https://github.com/vaughnhart >>> >>> https://open.spotify.com/user/aojaa35704q6no3iqt4h6k8im?si=b8f2195781f64632 >>> 2Sam 14:14a We must all die; we are like water spilled on the ground, >>> which cannot be gathered up again.“ >>> Jesus said to her, “I am the resurrection and the life. Whoever >>> believes in me, though he die, yet shall he live,” (John 11:25 ESV) >>> >>> >>> On Mon, Mar 24, 2025 at 9:01 AM Stuart Henderson <[email protected]> >>> wrote: >>> >>>> On 2025/03/24 05:46, Vaughn A. Hart wrote: >>>> > I rarely see the self keyword used in pf.conf and I wondered why? I >>>> experimented with it and >>>> > want to get some feedback on if what I’m thinking works or doesn’t. >>>> >>>> I don't think it's particularly uncommon. >>>> >>>> > block in log on self from any to 255.255.255.255 >>>> > block in log on self from <bad_actors> to any >>>> .. >>>> > block in log on self from <level2> to any >>>> > block in log on self from <level3> to any >>>> > block in log on self from <webclient> to any >>>> >>>> Here, "self" is used in the context of an interface name or interface >>>> group, which might not exist at the time the ruleset is loaded. (this is >>>> not an error as an interface group may be created later). It is not >>>> referring to the _keyword_ "self" which is only parsed in the context >>>> of an address (e.g. "pass proto tcp to self port 12345"). >>>> >>>> Most likely you have no interface group called "self" so those rules >>>> are doing nothing. I'm not really sure what you intend by using "on >>>> self" >>>> with those rules though. >>>> >>>>
