> On Fri, Jul 17, 2009 at 10:35:03AM +0200, Holger Glaess wrote: > | sorry ....... for my bad ugly english i have less practice . > | > | > | i talk about from a line with just "pass" nothing else. > | > | > | example. > | > | ---- pf.conf ----- > | > | > | block in on wan all > | block out on wan all > | > | # correct line ex. > | pass in on wan from any to http-server port 80 > | > | > | # kills block rule in/out this is the my question. > | pass > | > | > | i hope that deescribe it better ;) > > OK, so I did understand you correctly. Your ruleset is valid. This is > how pf (pf.conf) is supposed to work. As I said before : works as > intended. You can write very solid rulesets in pf.conf but you can > also put absolute nonsense in it and it can still be valid pf syntax. > Remember that, as pf.conf(5) states, "last matching rule decides what > action is taken". 'pass' matches all packets and the action will be to > pass the traffic. > > Your ruleset isn't necessarily absolute nonsense, btw. When debugging > my rules, I sometimes add a 'pass' as the last rule, reload, verify > everything works, then move the 'pass' rule up until whatever problem > I had shows up again. Helps identifying problematic rules. > > You wouldn't complain if you put a 'rm -f /' at the end of > /etc/rc.local, now would you ? You won't get a warning for it either. > > Cheers, > > Paul 'WEiRD' de Weerd >
hi you are right but i think it is really helpful if pfctl give an warning if he found those kind of line that you can decide if this rule to want or a miss typo that have to be correct. holger
