On Sun, 10 Jan 2016 13:36:44 +0100 "Peter N. M. Hansteen" <pe...@bsdly.net> wrote:
> On 01/10/16 12:40, Gianluca D.Muscelli wrote: > > Hi, I do not understand, I'm blocking some IP with these PF rules: > > [ ... ] > > > pass in quick on egress proto tcp \ > > from <spamd> \ > > to (egress) port smtp \ > > rdr-to 127.0.0.1 port spamd > > > > pass out quick on egress proto tcp to any port smtp > > > > block return in quick from <blacklist> to any > > The traffic matches the first quick rule here, and the blacklist > reference rule is never evaluated. Remove the 'quick's or move the > blacklist check to somewhere earlier in your config. > I agree with Peter. I prefer to keep my 'block quick' rules at the top of the ruleset. 'quick' means 'don't check after this rule'. You already know you want to block from <blacklist> without later exceptions. Why waste resources on evaluating complete ruleset? -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/