Mine is actually quite extensive...
Code:
block in log
pass out all
Now I know, I know...scrub is useful, tight things more on outside, etc, etc. This is a personal machine that doesn't spend much time "out there".
Besides PF FAQ, for tweaking pf second place belongs to incredibly readable and very useful articles by Daniel Hartmeier (link's got all three articles):
http://undeadly.org/cgi?action=artic...20060927091645
Skipping on lo means "dont filter on any lo interfaces at all"; whereas antispoof on lo0 concerns other interfaces. The way understand antispoof on lo0 is:
block all incoming traffic from 127.0.0.0/8 net that doesn't go through lo0. One should not receive packets from this net on, say, vr0 interface that has 10.0.0.1/24 address
Code:
rule expands to:
block drop in on ! lo0 inet from 127.0.0.1/8 to any
network 127.0.0.0/8 vr0 lo0
----------------------> 10.0.0.1 - | 127.0.0.1 |
| PF BOX |
antispoof applies to aliases too:
http://kerneltrap.org/mailarchive/op...8/7/15/2513284