On 2013/07/31 09:04, Maxim Khitrov wrote: > On Wed, Jul 31, 2013 at 3:53 AM, Stuart Henderson <[email protected]> wrote: > > On 2013/07/30 14:41, Maxim Khitrov wrote: > >> I expected a "match quick ..." rule in pf.conf to terminate ruleset > >> evaluation without changing the pass/block state. > > > > "match quick" seems like a config error to me, what use would it have? > > maybe it should just be rejected? > > I think it's nice way of preventing errors. It gives you a way of > applying the default block rule, unless something else was matched,
The default rule in PF is not block, it's "pass flags any no state" which is likely to trip people up if they accidentally use it with tcp and window scaling (this default rule is probably responsible for the majority of PF configuration mistakes that I've seen..) I'm just a bit leery of changing syntax in a way which allows this to be hit more easily.
