PF's skip on interface directive

The OpenBSD packet filter (PF) received several enhancements in OpenBSD 3.7. One of the coolest things is the ability to tell PF not to filter traffic on specific interfaces, such as the loopback interface. This behavior is defined in the pf.conf configuration file with the “set skip on” statement:

set skip on lo0

Prior to the “set skip on” option you had to explicilty allow traffic to flow with the following pass statements:

pass in quick on lo0 all
pass out quick on lo0 all

This of course assumes a default policy of “block everything not explicilty allowed,” which all firewalls SHOULD be using.

This article was posted by Matty on 2005-05-23 22:04:00 -0400 EDT