Hello, I expected the following rule to only match traffic destined for the firewall:
pass in proto tcp to port ssh user root Likewise, by changing "root" to "unknown" I expected to only match traffic that is to be forwarded to other ssh servers. Both turned out to be wrong assumptions. I think that because sshd listens on *:22, pf considers all traffic to port 22 as matching "user root" criteria, even if the firewall is not the final destination. This behavior doesn't match the man page: "For incoming connections to the firewall itself, this is the user that listens on the destination port. For forwarded connections, where the firewall is not a connection endpoint, the user and group are unknown." I'm inclined to think that this is a bug in the code, since otherwise user and group criteria are not very useful at distinguishing where the traffic is going. - Max
