Re: A question on pf rules
On Tue, 2007-02-20 at 07:32 -0800, [EMAIL PROTECTED] wrote: Greetings, Does it make any difference if I group my rules like this . it can be, depending on your situation. PF rules are read top to bottom, therefore, lower rules can override rules that were previously defined. if you want rule defined and there to be no chance that a later rule can alter it, add the 'quick' keyword. later. ryanc -- Ryan Corder [EMAIL PROTECTED] Systems Engineer, NovaSys Health LLC. 501-219- ext. 646 [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: A question on pf rules
On 2/20/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
Greetings,
Does it make any difference if I group my rules like this .
## logs smtp sessions
pass in log on $ext_if proto tcp to $mailhost port smtp keep state
## Pass all outgoing traffics
pass out on $ext_if inet proto tcp all flags S/SA keep state
pass out log on $ext_if inet proto tcp from $mailhost to any port smtp
keep state
pass out on $ext_if inet proto { icmp, udp } all keep state
Or, like this .
## logs smtp sessions
pass in log on $ext_if proto tcp to $mailhost port smtp keep state
pass out log on $ext_if inet proto tcp from $mailhost to any port smtp
keep state
## Pass all outgoing traffics
pass out on $ext_if inet proto tcp all flags S/SA keep state
pass out on $ext_if inet proto { icmp, udp } all keep state
Last matching rule wins so the second example won't do what you're
expecting.
http://www.openbsd.org/faq/pf/filter.html
Also, try to use flags S/SA on all of your stateful TCP rules unless you
have a good reason not to.
--
Kian Mohageri
