On Mon, Aug 25, 2008 at 11:33 AM, Aaron Stellman <[EMAIL PROTECTED]> wrote:
> On Mon, Aug 25, 2008 at 11:05:38AM +1000, Mikel Lindsaar wrote:
>> I have purchased and read the book of PF (good book by the way) as
>> well as the man pages, and I have a question that I have not been able
>> to find a definitive answer on:
>>
>> "Does PF only evaluate every packet against the ruleset once on all
>> interfaces, or does it evaluate once for each interface?"
>
> If you default action is `block' and you want to allow a packet to be
> routed through 2 interfaces on a multihomed box, you'd need two rules:
> 1st rule to allow packet `in' on the first interface
> 2nd rule to allow packet `out' from the second interface
>
> I hope this answers your question.
Thanks for your answer. That mostly answers it. Might be a good
thing to modify the man page on the quick keyword...
So instead of this in pf.conf(5):
quick
If a packet matches a rule which has the quick option set, this
rule is considered the last matching rule, and evaluation of subse-
quent rules is skipped.
We should change it to something like this: ?
quick
If a packet matches a rule which has the quick option set, this
rule is considered the last matching rule, and evaluation of subse-
quent rules is skipped. Note, if the rule using the quick directive
states a specific interface, then using quick on a packet does not
guarantee that the packet will make it through the rule set of a
different interface. If using quick on a specific
interface, then you
will need additional rules on other interfaces to approve
or block the
packet. If you want a packet to be globally affected as the last
matching rule, then be sure not to specify an interface when using
the quick directive.
Although it is a bit wordy, is that the correct idea?
If that is the case, then this shows a perfect use of the tagging
features of PF. I could tag a packet as 'approved' and then do pass
quick on the other interfaces for these packets.
Mikel
