An empty PF configuration file will pass all traffic on all interfaces, as if you'd provisioned a single rule containing the two words pass all. So absent any other rules, the most recent example will pass all traffic on all interfaces except msk0.
The most general rule is the first, blocking all incoming traffic on the msk0 interface. All outgoing traffic already passes.
The second rule is more fine-grained, and passes traffic to destination ports 80/443, if the destination address is any of the addresses assigned to the msk0 interface. Internally, there are individual rules for each address, which can be seen with # pfctl -sr.
The parentheses around the interface will cause PF to adjust the internal rule list any time the address list changes, such as may happen with dynamic auto-configuration with SLAAC / IPv6 or DHCP / IPv4.
Last edited by jggimi; 11th July 2022 at 03:58 PM.
Reason: clarity
|