Fellow users, do I understand correctly that RST replies to packets blocked with pf cannot be arbitrarily routed?
pf.conf(5) says that "(...) reply-to is useful only in rules that create state". Since 'block' and 'match' rules seem to (understandably) not create state entries, there is no apparent way to direct TCP-RST (and/or ICMP unreachable) replies to a route of traffic being blocked. In my environment they all go through default gateway. Is there something that I'm missing or is it a bug or a feature (should I use route(8) tables instead, perhaps)? Thanks,
