On 2023-05-10, Jonathan Matthew <jonat...@d14n.org> wrote: > If there's a pf rule like 'match out on $iface nat-to ($iface)', making > that only apply to traffic received on another interface will probably > help.
"received-on" is excellent for making rules only apply to packets coming from some specific interface. in particular, "!received-on any" will prevent a rule (e.g. a match...nat-to) from applying to locally-generated packets.
