On 2011-01-30, Henning Brauer <lists-open...@bsws.de> wrote: > * Jason McIntyre <j...@kerhand.co.uk> [2011-01-30 16:37]: >> ok, so that's not so bad. in a way we're already there: pf.conf(5) notes >> in PACKET FILTERING first: >> >> For block and pass, the last matching rule decides what >> action is taken; if no rule matches the packet, the default >> action is to pass the packet. >> >> and then: >> >> By default pf(4) filters packets statefully: the first time >> a packet matches a pass rule, a state entry is created; >> >> but we do not explicitly say that if no rule matches, a packet is passed >> effectively with "no state" applied. is that sufficiently important that >> we should say it? > > I don't think so. >
I disagree, I think it is worth mentioning explicity - I have seen a few people run into problems because they don't realise the implicit rule is effectively "pass flags any no state".
