--On 22 August 2005 06:03 -0500, Shawn K. Quinn wrote:
On Mon, 2005-08-22 at 11:49 +0100, Stuart Henderson wrote:
If you don't already have something like 'pass quick on lo0' near
the start of your PF ruleset, you might like to add it.
Actually, as of 3.7 "set skip on lo0" is the preferred method of
bypassing pf on loopback.
It's not preferred enough that /usr/src/etc/pf.conf mentions it yet.
Index: /usr/src/etc/pf.conf
===================================================================
RCS file: /data/cvs/OpenBSD/src/etc/pf.conf,v
retrieving revision 1.28
diff -u -r1.28 pf.conf
--- /usr/src/etc/pf.conf 29 Apr 2004 21:03:09 -0000 1.28
+++ /usr/src/etc/pf.conf 22 Aug 2005 23:39:49 -0000
@@ -10,6 +10,8 @@
#table <spamd> persist
#table <spamd-white> persist
+#set skip on { lo $int_if }
+
#scrub in
#nat on $ext_if from !($ext_if) -> ($ext_if:0)
@@ -22,7 +24,6 @@
#block in
#pass out keep state
-#pass quick on { lo $int_if }
#antispoof quick for { lo $int_if }
#pass in on $ext_if proto tcp to ($ext_if) port ssh keep state
