What is your local network, anyway?

Above we introduced the interface:network notation. That is a nice piece of shorthand, but you make your rule set even more readable and maintainable by taking the macro use a tiny bit further.

You could for example define a $localnet macro, initially defined as the network directly attached to your internal interface (ep1:network in the examples above).

Alternatively, you could change the definition of $localnet to an IP address/netmask notation to denote a network, such as for a subnet of private IPv4 addresses or fec0:dead:beef::/64 for an IPv6 range.

If your network requires it, you could even define your $localnet as a list of networks. Whatever your specific needs, a sensible $localnet definition and a typical pass rule of the type

pass inet proto tcp from $localnet to port $ports keep state

could end up saving you a few headaches. We will stick to that convention from here on.