When writing outbound rules in pf, is there an accepted best practice for only matching packets that are either forwarded or firewall-generated?
The best that I could come up with is 'received-on all' as a way of identifying forwarded packets, but that option can't be negated to match packets that were not received on any inbound interface (i.e. those generated by the firewall itself). Another option is 'from (self)', but then you have to be careful with any preceding nat rules. Ideally, I want a solution that doesn't depend on the context. I also tried to use tags in combination with 'received-on', but it became rather messy and created conflicts with other tag usage. What is everyone else using to solve this problem?