PF Match scrub or antispoof - which comes first?

[kalleboy]

In PF configuration, should "match in all scrub (no-df random-id)" come before antispoof line, or after?

 

[mer]

Is the "match in all scrub" correct?

I've usually seen scrub statements like:
scrub in all no-df random-id reassemble

antispoof expands to a series of rules, scrub is a part of traffic normalization so it would come before antispoof.

 

[SirDice]

Is the "match in all scrub" correct?

It's not. Well, it's valid on OpenBSD's PF, not on FreeBSD's PF.

kalleboy keep in mind that FreeBSD's PF is not the same as OpenBSD's PF. FreeBSD's PF came from a relatively old OpenBSD version, so it's not going to support the same features as a recent OpenBSD version.