The ipf struture is like
group1 group2 group3 groupn
| head 1 |->| head 2 |->| head 3|->...->|head n|
|
--> | rule 1|
|
--> | rule 2|
|...
Your first rule will create "head" of a group and the second rule
will create a rule in this group.
If a packet match the "head" rule of a group, ipfilter will go on to
check all rules of this group.
If the packet match a rule of this group, the action of the rule will
be returned, otherwise, the action of "head" rule returned.
My English is poor and I hope you can understand what I said above.
> but I think the ruleset "block in quick on ppp0 all head 100" will block
all packets on ppp0, and break the ruleset match in ipfilter immediate.
> the ruleset "pass in quick proto tcp from any to any port = WWW keep
state group 100" will not be matched. so the packets to port www will be
blocked to.
>
> Could you tell me how the ipfilter really to do here ?
>
--http://www.eyou.com
--�ȶ��ɿ��ĵ������� �����ʼ� �ƶ���ǩ �������� ����洢...����δ��
