Dear Peter, indeed last match wins, but both the other rules have the quick keyword. So if there was a match, it should happen. So in this case, why does this order match ?
Panagiotis Galiotos On Sat, Jul 30, 2016 at 2:30 PM, Peter N. M. Hansteen <pe...@bsdly.net> wrote: > > > On 07/30/16 06:08, Aaron Hofer wrote: > > Trying to replicate some functionality with PF that I had with a cisco > > asa. I'm trying to explicitly allow echo requests outbound and only > > echo replies inbound but it's not working. Here's my current rules for > > this, but I can't ping anything beyond the external interface though. > > > > pass out quick on egress inet proto icmp icmp-type echoreq no state > > pass in quick on egress inet proto icmp icmp-type echorep no state > > block quick on egress inet proto icmp all > > Last match wins, so if you move the block up before the pass rules, you > should see a difference. > > > -- > Peter N. M. Hansteen, member of the first RFC 1149 implementation team > http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ > "Remember to set the evil bit on all malicious network traffic" > delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds. >
