First off, thank you Daniel for a comprehensive answer! Daniel Hartmeier wrote: > On Fri, Dec 01, 2006 at 02:14:14PM +1300, Russell Fulton wrote: > > >> pass in quick on fxp0 all allow-opts >> > > >> Am I correct in thinking that this line effectively passes *all* traffic >> in on fxp0 with no more checking because of the 'quick' option? >> > > Yes, it does. > > The rule is meant to illustrate the syntax of the allow-opts option > (i.e. where in the rule to place it) with an example. > Right, I eventually came to that conclusion myself.
BTW we found out what our firewall normally does real quick. Within two hours we had 6 machines compromised by 'slammer' style attacks -- six machines that should have been patched but were not and which pf had protected very well until our bungle. > >> Surely in the context of the FAQ this rule should not have quick so that >> subsequent block rules will take effect. >> > > Removing the quick option would, in this case, not have the desired > effect, either. Adding the non-quick rule at the beginning would have NO > effect at all, since ruleset evaluation for any packet (blocked or > passed) would match subsequent rules. Only the last matching rule > matters, and whether that last matching rule has allow-opts set or not. > Doh! Of course. > > If you, or anyone else, can suggest a sentence or paragraph to add to > the FAQ that makes this clear, please do. > > I think Karl's idea of simply adding a qualification to the rule makes it clear this is a specific example an not something generic that should be cut and pasted without thought. Cheers and thanks, Russell
