On 2009/09/12 16:50, Daniel Malament wrote:
>
> But if you create a default-permit ruleset with wide-ranging block
> rules, like:
>
> ---
> block in on $ext_if
> pass in on $ext_if from any to $ext_if port 22
> ---
>
> you get the same filtering results with fewer rules, one state per
> connection, and no need for ruleset lookups on established streams.
You don't have a rule handling $int_if or outbound traffic, so the
default _non stateful_ pass rule is used. You're doing a whole ruleset
evaluation per outgoing packet.
On 2009/09/12 21:25, Karl O. Pinc wrote:
>
> > table <non_local> { 0.0.0.0/0 !$int_net1 !$int_net2 }
> > pass in on $int_net3 from any to <non_local>
>
> At first glance, this won't work. An address in
> $int_net1 will match !$int_net2 and so will pass
> and vice versa. My brain is full right now so I
> could be wrong but I am sure there are issues just
> like this with ! to watch out for.
Negation works as expected in a single table so that's ok.
The problem with ! is where you do this,
pass in to {0.0.0.0/0 !$int_net1 !$int_net2}
which expands to three rules,
pass in to 0.0.0.0/0
pass in to !$int_net1
pass in to !$int_net2
