Tobias Weisserth wrote: > # inbound traffic (firewall) > pass in on $ext_if inet proto tcp from any to $fw_ext user proxy > keep state > pass in on $ext_if inet proto tcp from <trusted> to $fw_ext \ > port 22 flags S/SA keep state > > What's the first of these two rules doing? I can't find any reference to > the "... user proxy keep state" part at the end in the PF FAQ. > The second rule is clear.
It allows in (and creates state for) any packets destined for ports that have been bound to by some process running under the user account "proxy", which would normally be the ftp-proxy(8) that comes with pf. The FAQ doesn't cover everything, you should find lots of interesting information like this in the pf.conf(5) and related 'man' pages.