As my rules get more complicated, i've gone from "from any", to "from ip-address", to "from en0". What I noticed is that when I specify via en0/en1, `pf` makes a rule for every IP address on that interface. Even though other IPs in my setup are covered by other rules. Including IPv6 addresses which I'm not even using. So using en0 as a from-specifier is creating double the amount of actual rules as shown via pfctl -si
So I am wondering if I should make all my rules so they specificy specific IP addresses instead? Reduce the total number of rules? Does that make sense? Is it pointless? I know these fairly simple firewall rules aren't exactly CPU hogs, but at the same time, a whole lot of packets are going through them so it does it make sense to optimize in this way? Or are other things going on that are not apparent, and this wouldn't actually affect the amount of processing going on at all?
So I am wondering if I should make all my rules so they specificy specific IP addresses instead? Reduce the total number of rules? Does that make sense? Is it pointless? I know these fairly simple firewall rules aren't exactly CPU hogs, but at the same time, a whole lot of packets are going through them so it does it make sense to optimize in this way? Or are other things going on that are not apparent, and this wouldn't actually affect the amount of processing going on at all?