On 05/07/18 18:40, Martin Gignac wrote: > In an OpenBSD pf rule however, a rule only references a single > interface and a direction (in, out).
This is not correct. It's perfectly valid and not unusual to have rules like pass from 10.2.3.0/24 (or 'pass to $somenet'). The default state-policy is 'floating' (as in not tied to an interface) but you can set it to be if-bound if you like. But for the use case you describe, tagging on ingress and filtering on tagged later is certainly a potentially useful approach. - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
