Hi folks, If I add "antispoof quick for self" to my pf.conf to enable antispoofing on all interfaces, then I get these additional rules:
block drop in quick on ! self inet from <__automatic_3df3184e_0> to any block drop in quick on ! self inet6 from ::1 to any block drop in quick inet6 from ::1 to any block drop in quick on lo0 inet6 from fe80::1 to any block drop in quick on em0 inet6 from fe80::260:e0ff:fe4b:d2ec to any block drop in quick on em1 inet6 from fe80::260:e0ff:fe4b:d2ed to any block drop in quick on em5 inet6 from fe80::260:e0ff:fe4b:d2f1 to any block drop in quick on em6 inet6 from fe80::260:e0ff:fe4b:d2f2 to any block drop in quick on carp0 inet6 from fe80::200:5eff:fe00:10a to any block drop in quick on carp1 inet6 from fe80::200:5eff:fe00:107 to any block drop in quick on carp5 inet6 from fe80::200:5eff:fe00:111 to any block drop in quick inet from <__automatic_3df3184e_1> to any The automatic tables contain the local networks and the local IP addresses, including carp interfaces. I am not sure about the "on ! self". Ain't this a contradiction in terms? Sorry for asking, but "self" is just very briefly described on pf.conf(5). Any helpful comment would be highly appreciated. Regards Harri
