Re: A question on pf rules

Tue, 20 Feb 2007 10:33:29 -0800 

On 2/20/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
>
> Greetings,
>
> Does it make any difference if I group my rules like this .....
> ## logs smtp sessions
> pass in log on $ext_if proto tcp to $mailhost port smtp keep state
> ## Pass all outgoing traffics
> pass out on $ext_if inet proto tcp all flags S/SA keep state
> pass out log on $ext_if inet proto tcp from $mailhost to any port smtp
> keep state
> pass out on $ext_if inet proto { icmp, udp } all keep state
>
> Or, like this .........
> ## logs smtp sessions
> pass in log on $ext_if proto tcp to $mailhost port smtp keep state
> pass out log on $ext_if inet proto tcp from $mailhost to any port smtp
> keep state
> ## Pass all outgoing traffics
> pass out on $ext_if inet proto tcp all flags S/SA keep state
> pass out on $ext_if inet proto { icmp, udp } all keep state



Last matching rule wins so the second example won't do what you're
expecting.

http://www.openbsd.org/faq/pf/filter.html

Also, try to use "flags S/SA" on all of your stateful TCP rules unless you
have a good reason not to.


-- 
Kian Mohageri

Reply via email to