we were refering to 10k states by default here as well, pt out by claudio

Document NAT and DNS forwarding rules for vmd(8)

discussed at length with benno, beck, deraadt, and florian

Change spamd to use divert-to instead of rdr-to.

divert-to has many advantages over rdr-to for proxies. For example,
it is much easier to use, requires less code, does not depend on
/dev/pf, works

Change spamd to use divert-to instead of rdr-to.

divert-to has many advantages over rdr-to for proxies. For example,
it is much easier to use, requires less code, does not depend on
/dev/pf, works in-band without the asynchronous lookup (DIOCNATLOOK
ioctl), saves us from additional port allocations by the rdr/NAT code,
and even avoids potential collisions and race conditions that could
theoretically happen with the lookup.

Heads up: users will have to update their spamd PF rules from rdr-to
to divert-to. spamd now also listens to 127.0.0.1 instead of "any"
(0.0.0.0) by default which should be fine with most setups but has to
be considered for some special configurations.

Based on a diff is almost two years old but got delayed several times
... beck@: "now is the time to get it in" :)

Tested by many
With help from okan@
OK okan@ beck@ millert@

show more ...

create examples/pf.conf which is a clone of the existing file. Now
the existing file can start losing... examples...