On 3 November 2009 G. 16:32:29 Alexander Shikoff wrote:
> Hello!
>
> I have strange behavior of pf on my 4.6 box.
>
> Filtering rules are present in pf.conf in next order:
> block in all
> pass in quick on $ext_if proto tcp from any to ($ext_if) port ssh
> pass out quick on $ext_if
> pass in quick on $ext_if no state
> pass in quick on vlan609 from vlan609:network to any
> no state pass out quick on vlan609 from any to
> vlan609:network no state pass in quick on vlan621 from
> 10.51.109.16/29 to any no state pass out quick on
> vlan621 from any to 10.51.109.16/29 no state queue
> to_Akim pass in quick on vlan621 from 10.51.109.40/29 to any
> no state pass out quick on vlan621 from any to
> 10.51.109.40/29 no state queue to_Gonta pass in quick on vlan622
> from vlan622:network to any no state pass out quick
> on vlan622 from any to vlan622:network no state pass
> in quick on vlan664 from vlan664:network to any no
> state pass out quick on vlan664 from any to
> vlan664:network no state pass in quick on vlan781 from
> vlan781:network to any no state pass out quick on
> vlan781 from any to vlan781:network no state pass in
> quick on vlan783 from vlan783:network to any no
> state pass out quick on vlan783 from any to
> vlan783:network no state
>
>
>
> But after they loaded pfctl -sr shows another order:
> block drop in all
> pass in quick on vlan2 proto tcp from any to (vlan2) port = ssh flags
> S/SA keep state (if-bound) pass out quick on vlan2 all flags S/SA keep
> state (if-bound)
> pass in quick on vlan609 inet from 10.51.9.0/24 to any no state
> pass in quick on vlan621 inet from 10.51.109.16/29 to any no state
> pass in quick on vlan2 all no state
> pass out quick on vlan609 inet from any to 10.51.9.0/24 no state
> pass out quick on vlan621 inet from any to 10.51.109.16/29 no state
> queue to_Akim pass in quick on vlan621 inet from 10.51.109.40/29 to
> any no state pass out quick on vlan621 inet from any to
> 10.51.109.40/29 no state queue to_Gonta pass in quick on vlan622 inet
> from 10.51.109.0/28 to any no state pass in quick on vlan622 inet from
> 10.51.109.56/29 to any no state pass in quick on vlan781 inet from
> 10.53.31.0/25 to any no state pass in quick on vlan781 inet from
> 10.53.31.128/25 to any no state pass in quick on vlan664 inet from
> 10.52.14.0/24 to any no state pass in quick on vlan783 inet from
> 10.53.33.0/24 to any no state pass out quick on vlan622 inet from any
> to 10.51.109.0/28 no state pass out quick on vlan622 inet from any to
> 10.51.109.56/29 no state pass out quick on vlan781 inet from any to
> 10.53.31.0/25 no state pass out quick on vlan781 inet from any to
> 10.53.31.128/25 no state pass out quick on vlan664 inet from any to
> 10.52.14.0/24 no state pass out quick on vlan783 inet from any to
> 10.53.33.0/24 no state
>
> Does anyone know how to disable this? Thanks in advance!
1. Why do you want to disable this? Did you even noticed actual problems?
2. See pf.conf(5), particularly part about "ruleset-optimization" option.
But better you read this manual page thoroughly, then search mail
archives and then you'll find that likely you should not disable it.
--
Best wishes,
Vadim Zhukov
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?
