Hello, I am using openbsd as a router and I heavily utilise skips in pf on the transit interfaces. I use a dedicated loopback interface for router management. However, this poses a problem where the use of skips on transit interfaces then allows all traffic to my management loopback interface.
Any idea on how to solve this while keeping the skips? I have been considering putting my management interface into a separate rtable. This is probably the prudent thing to do but it requires rather substantial changes on my end. Another way would be to remove skips and use very wide "pass" rules combined with blocks. Example current pf.conf: set ruleset-optimization none set reassemble no set state-defaults sloppy set limit tables 500 set skip on vlan1001 set skip on vlan1002 set skip on vlan1003 pass quick on lo1 from <sysops>
