Hi,
I have a question regarding pf.
In man pf.conf[1], the following note is made in the section on: antispoof
"Caveat: Rules created by the antispoof directive interfere with
packets sent over loopback interfaces to local addresses. One
should pass these explicitly."
When man says that the traffic for the loopback address(es) should be
"...pass[ed] explicitly", does that mean I would something like the
following in pf.conf:
pass quick on lo0
antispoof quick for $ext_if
... or is specifying an option that filtering on the loopback address
should not take place sufficient:
set skip on lo0
. . .
antispoof quick for $ext_if
Thanks,
- J
Ref
===
[1] https://man.openbsd.org/pf.conf#TRAFFIC_NORMALISATION
