On Fri, Dec 01, 2006 at 02:14:14PM +1300, Russell Fulton wrote: > pass in quick on fxp0 all allow-opts
> Am I correct in thinking that this line effectively passes *all* traffic > in on fxp0 with no more checking because of the 'quick' option? Yes, it does. The rule is meant to illustrate the syntax of the allow-opts option (i.e. where in the rule to place it) with an example. > Surely in the context of the FAQ this rule should not have quick so that > subsequent block rules will take effect. Removing the quick option would, in this case, not have the desired effect, either. Adding the non-quick rule at the beginning would have NO effect at all, since ruleset evaluation for any packet (blocked or passed) would match subsequent rules. Only the last matching rule matters, and whether that last matching rule has allow-opts set or not. If you expect packets with IP options on any kind of connection you want to pass, you actually have to add allow-opts to ALL your existing pass rules. Most people see legitimate packets with IP options only for a few kinds of connections (say, between specific peers, or specific ports), so it's easier/safer to add allow-opts only to specific rules matching those packets. I agree the example in the FAQ is not helpful making that clear. But simply removing quick from it will not be much better. In general, all the one-line examples in the FAQ are not meant as building blocks that you can simply copy/paste into larger rulesets mechanically. I'm pretty sure this is not the only case where the one-liner only illustrates the syntax, and the effect of inserting it into complex rulesets is non-trivial. If you, or anyone else, can suggest a sentence or paragraph to add to the FAQ that makes this clear, please do. Daniel
