On Mon, Nov 04, 2002 at 10:05:30AM -0500, jolan wrote: > I just want to make sure I'm understanding this correctly. > > block-policy return > TCP packets are dropped with a TCP RST, UDP packets are dropped > with an ICMP UNREACHABLE, and all other packets are dropped > silently. > > Does this also do return-ipv6-icmp for ipv6/udp and return-rst for ipv6 > tcp?
Yes. > Is my understanding correct in that: > > block-policy return > block out log all > block in log all > > is NOT equivalent to: > > block out log all > block in log all > block return-rst out log inet proto tcp all > block return-rst in log inet proto tcp all > block return-icmp out log inet proto udp all > block return-icmp in log inet proto udp all > > since tcp/udp are not implied..? so I would have to specify: > > block in/out log inet proto tcp/udp all > > as well? No. The first code paragraph will block all TCP, UDP, (and ICMP and IPv6-ICMP, despite what the pf.conf(5) says,) packets in a polite way. -- mls
