Without the "quick" keyword, pf evaluates all of your rules and if a
more-permissive rule exists to match the traffic flow, it is used. This
is different than some commercial firewalls such as Check Point which
stop when the traffic matches a rule, and the rules are processed in order.
It's common in a pf setup, to block all at the beginning of the security
rules, without the quick keyword, and then add the pass rules
afterwards. Anything not matching a pass rule would by default hit your
first block all rule.
If you are very used to an in-order-stop-when-match firewall then using
quick on every rule will be more familiar to you, and your block quick
log all should be at the bottom of your rulebase after the pass rules.
Pierre
patrick keshishian wrote:
On Sun, Mar 8, 2009 at 11:12 AM, Maxx Twayne <maxxtwa...@gmail.com> wrote:
Hi,
I would like to see all blocked packets with pf. And i used this :
block in log on $ext_if all
block out log all
But when i read on pflog0 on the pflog file, i didn't got any blocked
packets.
Only the logged pass that i asked.
Is there any kind of protection, or i did something wrong ?
hard to tell with the small snippet of your pf.conf you included. It
could be a problem with your rule-set that allows everything to pass.
can't tell with the info you provided.
--patrick
