"Mikel Lindsaar" <[EMAIL PROTECTED]> writes: > I have purchased and read the book of PF (good book by the way) as
Thanks! :) > What I mean is, does a matching pass quick rule on one interface (say > $int_if) then also guarantee egress on another interface that has a > block rule? No. If rules that filter 'on' an interface, (in or out) apply to that interface only. For simple setups you may gain some readability by writing your rules without direct reference to interfaces, ie something like (given sensible macro definitions) block all pass inet proto tcp from $friendnet to $ournet port $allowedports I think this is in the book, too. > For a contrived example: > > 1 pass in quick on $int_if route-to ($ext_if, $ext_gw) from any to any > 2 block out quick on $ext_if from any to any > > Given a packet comming in on $int_if, rule(1) matches so rule(2) would > not be evaluated. > Given a packet originating from localhost, rule(1) does not match so > rule(2) would be matched. that's correct, but you would get the same effect by putting a default 'block all' on top of your rule set, then allowing selectively. - P -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
