I'm looking for a way to disable the "IPsec internal host to host" rule.
I have enabled "VPN: IPsec: Advanced Settings" - "Disable all auto-added VPN rules."
When looking into pfctl -s "rules" it shows this rule:
pfctl -s rules | grep -i enc0
pass out log on enc0 all flags S/SA keep state label "c1eff64cbafdd6b80448f92cd4aff7e5"
So for now I have just set my own rule before this one to block it:
block drop out quick on enc0 inet all label "9d362a93e2c802daca5dcc00a0ad8df8"
Having the IPsec internal host to host rule probably makes a lot of sense because you don't have to create your own "direction out" rules, though still having it after disabling all auto added rules might be misleading? But I'm not judging it, just want to know if it's the way it's supposed to be.