Hmmm... Still not exactly foolproof. That means every time I update my pf rules I have to remember to run pfctl with the -D switch. Not much better than remembering to edit pf.conf. Okay, I could write a script that runs pfctl with the -D switch, but then I have to remember to run the script instead of pfctl. What if I rename pfctl to pfctl.original and make the name pfctl a link to your script? I have to remember that I did that when I upgrade the OS.
Basically, it sounds nice, but it's actually just a fancy way of hiding the problem. > pfctl -D macro=value (man pfctl)
