-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 03/01/15 10:48, Stuart Henderson wrote:
>
> It would be *possible* to modify pfctl's parser to handle this. The question
> is whether it's worth the time to implement it and extra complexity. Note
> that it would need to handle splitting the rule (cases like "pass to service
> {http domain}" shouldn't allow udp to port 80). I don't think it
> should use the word "port" because that gives expectations of it *only*
> looking at the port number.
>
Point is that the port number is meaningless without protocol
specification. So
pass in from any to (self) port {http telnet}
should actually be read as
pass in from any to (self) port { 80/tcp 80/udp 23/tcp }
(I broke pf.conf syntax here just to show.)
Regards
Harri
iQEbBAEBCAAGBQJU83IUAAoJEAqeKp5m04HL7CAH9jbOYJXa8+9wthTCj763KCCc
AYUpuszbT80gQftKRZW/kfRkAhI5yykLFlB9GbhrAaiCexoF6oksdRvxjiteSYcb
Ry5SChd5a1DxL40knUMx8GZjSKf+UXchCZqwYD0t/EtWkf+P1IlOf6KTtcrj3GGb
q3tLzyDAXiRYjmjsKbBj+3++yk/Vgx1QdFDLLseZd79GPFVNxDNg7+/3C4TKCGwt
CtSYiZIXh7QEwxdfHKTUS/D5F1BPkVwhR96HjoMf7Gi85SiA7e3DUW5og5Brd7Qp
vgj6LnHgwtpob/qR5SbWWsMm7Ag/o2NAg5hbdrUJ7p0YSnxFBntlircFq1HFTQ==
=pZ5b
-----END PGP SIGNATURE-----
