Ohh,
I cleanup a ruleset and added some quicks to sets of 'pass in on
interal', match with nat-to, pass out on external' rules.
I managed to put a quick directive behind a match (ie match quick ...)
and that is a VERY BAD thing to do.
The definition of the quick directive from the man page of pf.conf:
> If a packet matches a rule which has the quick option set, this rule is
> considered the last matching rule, and evaluation of subsequent rules is
> skipped.
And from the match directive:
> match
> The packet is matched. This mechanism is used to provide fine grained
> filtering without altering the block/pass state of a packet. ...
Thus if one applies 'quick' to a match rule one could end up consigning packets
to 'packet purgatory' ? Which is what I did.
Is 'match quick' ever valid?
Scott Donaldson
Saskatoon, SK
Canada
