On 2009/09/12 16:50, Daniel Malament wrote: > > But if you create a default-permit ruleset with wide-ranging block > rules, like: > > --- > block in on $ext_if > pass in on $ext_if from any to $ext_if port 22 > --- > > you get the same filtering results with fewer rules, one state per > connection, and no need for ruleset lookups on established streams.
You don't have a rule handling $int_if or outbound traffic, so the default _non stateful_ pass rule is used. You're doing a whole ruleset evaluation per outgoing packet. On 2009/09/12 21:25, Karl O. Pinc wrote: > > > table <non_local> { 0.0.0.0/0 !$int_net1 !$int_net2 } > > pass in on $int_net3 from any to <non_local> > > At first glance, this won't work. An address in > $int_net1 will match !$int_net2 and so will pass > and vice versa. My brain is full right now so I > could be wrong but I am sure there are issues just > like this with ! to watch out for. Negation works as expected in a single table so that's ok. The problem with ! is where you do this, pass in to {0.0.0.0/0 !$int_net1 !$int_net2} which expands to three rules, pass in to 0.0.0.0/0 pass in to !$int_net1 pass in to !$int_net2