On 2022-10-24, Lyndon Nerenberg (VE7TFX/VE6BBM) <lyn...@orthanc.ca> wrote:
> Given the rule
>
> pass proto tcp from any to mail.example.com \
> port { 25 80 110 143 443 587 993 } synproxy state
>
> pfctl barks
>
> /etc/pf.conf:586: warning: synproxy used for inbound rules only, ignored for
> outbound
>
> It's pretty obvious from reading pf.conf(5) that the above is the
> default behaviour, and it seems perfectly reasonable to apply
> 'synproxy state' to pass rule that implies 'in'. So I don't see
> the reason for pfctl to nag at me like that,
That pass rule doesn't just imply "in", it is "in and out".
"synproxy state" cannot work on outbound (for more details see
https://marc.info/?l=openbsd-tech&m=160686649524095&w=2).
Because pfctl is doing something other than what you asked it to do,
IMO the warning makes sense.
Alternatively it could be classed as an error but that won't be very
fun for people upgrading.
