On 24.01.2017 16:04, Luke Small wrote:
if I have:
"pass out quick on lo0 from self port 6379 to \ any user luke
block out quick on lo0 from self port 6379 to any
pass quick on lo0 from any to any"
a local connection to port 6379 will go to the last rule... isn't
this a
useful feature to allow one of the first two rules to take effect?
Unless I'm missing something silly, the last matching rule wins. Per
man pf.conf(5) [1]
"For each packet processed by the packet filter, the filter rules are
evaluated in sequential order, from first to last. For block and pass,
the last matching rule decides what action is taken"
If you want pass out, and block out to supersede your last catch-all
rule, you'll need a quick statement on them to prevent any further rule
processing on the packet.
[1] http://man.openbsd.org/OpenBSD-current/man5/pf.conf.5