On 2025/03/24 05:46, Vaughn A. Hart wrote: > I rarely see the self keyword used in pf.conf and I wondered why? I > experimented with it and > want to get some feedback on if what I’m thinking works or doesn’t.
I don't think it's particularly uncommon. > block in log on self from any to 255.255.255.255 > block in log on self from <bad_actors> to any . > block in log on self from <level2> to any > block in log on self from <level3> to any > block in log on self from <webclient> to any Here, "self" is used in the context of an interface name or interface group, which might not exist at the time the ruleset is loaded. (this is not an error as an interface group may be created later). It is not referring to the _keyword_ "self" which is only parsed in the context of an address (e.g. "pass proto tcp to self port 12345"). Most likely you have no interface group called "self" so those rules are doing nothing. I'm not really sure what you intend by using "on self" with those rules though.
