Hi. I think I mentioned that I upgraded one of the machines running pf from 4.6 to -current.
Noticed that pf rule order behavior has changed, so I had to move rules around and I of course had to change nat and rdr rules since the syntax is new. I've read the man page, but not clear on understanding the difference between 'match' and 'pass'. What's preferable for nat and rdrs - match or pass? What about regular rules? In what sort of situations should I use match rather than pass, vice/versa? An issue today was the box totally froze after I removed one of the redundant rules, did 'pfctl -f /etc/pf.conf', and ran 'systat queues'. As soon as I ran systat it froze dead. Not even a panic. Also there's a problem with http://www.openbsd.org/faq/pf/queueing.html , first example - unless I am confused it limits internal interface's bandwidth to that of external. Why would I want to slow down my inside connection to the local network? Thanks.
