pf usage

[Doug Hardie]

> On 27 February 2020, at 14:15, RW via freebsd-questions <freebsd-questions at freebsd.org> wrote:
> 
> On Wed, 26 Feb 2020 02:55:15 -0800
> Doug Hardie wrote:
> 
>> I just learned something quite unexpected about pf.  Some time ago,
>> the rules had to include "state" to have pf track state.  However,
>> later pf was changed to always assume "state" thus reducing the
>> typing of the rules.  The description of that change made me believe
>> that the change was in pf.  On one of my systems with two NICs and
>> two different internet providers, I was using pftop to track usage.
>> The only states I saw were for just one network.  The other one never
>> showed any states, but the packets were delivered properly.
>> 
>> I discovered that pf has to have a rule for each interface.  I used
>> "pass all" for the interface that needed no other rules.  The change
>> apparently was made to pfctl not pf.  So the one interface had no
>> rules, and hence there was nothing to tell pf to track state.
> 
> If your concern is to do with efficiency, there may an optimization
> there. It's possible that pfctl sets a flag on interfaces that aren't
> affected by the rule set, so that traffic can pass with low overheads
> and without creating unnecessary state entries.
> 
> I've no idea whether this is correct, it's just speculation. But if it
> is then forcing state entries would be counterproductive. 

In this case, the volume of traffic is quite low.  I am much more concerned about monitoring the connections than in efficiency.  I suspect, though, that your speculation is correct.

-- Doug