I had to replace the dead hard drive in an old OpenBSD firewall yesterday (it only ran for about 8 years :), and in the process I had to re-do my pf.conf to incorporate the newer (post-4.6 or thereabouts) syntax. I was trying to figure out why I have what appears to be two states for each incoming connection that is getting rdr-to'd a box on the internal network by a pass rule, but I digress.
Anyway, I'm reading the pf.conf man page, and I interpret it as saying that the last matching pass/block rule determines what action is taken, but the _first_ matching pass rule is what creates the state. Am I interpreting this correctly? Is that a contradiction of sorts, at least from the PoV of being able to use pfctl -ss or systat states to see what's going on? Should I be using match rules to do nat-to/rdr-to instead? Thanks in advance, Corey
