Hello,
I�m trying to grasp the following two blocks of rules. If I understand
correctly the main difference is that the first block of rules dismisses
priv_nets by means of a drop, which means that the package is not checked
by the following rules and in the second set of rules priv_net is checked
until the end (and blocked).
But which set is more efficient?
# external interface ($ext_if)
block all
block drop in log quick on $ext_if from $priv_nets to any
block drop out log quick on $ext_if from any to $priv_nets
pass in on $ext_if inet proto tcp from any to ($ext_if) port $ext_tcp
flags S/SA keep state
pass in on $ext_if inet proto icmp from any to ($ext_if) icmp-type
$ext_icmp keep state
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
# external interface ($ext_if)
block all
pass in on $ext_if inet proto tcp from !$priv_nets to ($ext_if) port
$ext_tcp flags S/SA keep state
pass in on $ext_if inet proto icmp from !$priv_nets to ($ext_if) icmp-type
$ext_icmp keep state
pass out on $ext_if from any to !$priv_nets keep state
Kind regards,
Bj�rn
