On Fri, Jul 17, 2009 at 10:35:03AM +0200, Holger Glaess wrote:
| sorry ....... for my bad ugly english i have less practice .
|
|
| i talk about from a line with just "pass" nothing else.
|
|
| example.
|
| ---- pf.conf -----
|
|
| block in on wan all
| block out on wan all
|
| # correct line ex.
| pass in on wan from any to http-server port 80
|
|
| # kills block rule in/out this is the my question.
| pass
|
|
| i hope that deescribe it better ;)
OK, so I did understand you correctly. Your ruleset is valid. This is
how pf (pf.conf) is supposed to work. As I said before : works as
intended. You can write very solid rulesets in pf.conf but you can
also put absolute nonsense in it and it can still be valid pf syntax.
Remember that, as pf.conf(5) states, "last matching rule decides what
action is taken". 'pass' matches all packets and the action will be to
pass the traffic.
Your ruleset isn't necessarily absolute nonsense, btw. When debugging
my rules, I sometimes add a 'pass' as the last rule, reload, verify
everything works, then move the 'pass' rule up until whatever problem
I had shows up again. Helps identifying problematic rules.
You wouldn't complain if you put a 'rm -f /' at the end of
/etc/rc.local, now would you ? You won't get a warning for it either.
Cheers,
Paul 'WEiRD' de Weerd
--
>++++++++[<++++++++++>-]<+++++++.>+++[<------>-]<.>+++[<+
+++++++++++>-]<.>++[<------------>-]<+.--------------.[-]
http://www.weirdnet.nl/
