Hello,
Functionnally pf is OK : packets are blocked or passed according to
what's expected. But when i use systat for live examination of what
appends amongst the rules there is no hit on match rules with IP list
while there's on relevant block rule.
Did someone notice such behaviour, or did i missed something once again
? Google and others only output some garbage about this question.
my pf is organised around an header pf.conf which calls sub pf files and
puts each of them in an anchor ( one for IPv4 wan, one for IPv4 local,
one for IPv6 wan, etc). It is organised with a lot of match rules and a
few block/pass rules. (One list to rule them all, One match to find
them, One block to bring them all and in the darkness bind them)
I changed the orders of rules and anchors : no effect. What i currently
use is here :
(rogueIPs list is the automatically build from several reliable sources
and processed to get clean without dups, annoyers is my manually fed table)
table <rogueIPs> persist file "/etc/rogueIPs.tbl" counters
table <annoyers_v4> persist file "/etc/annoyers.tbl" counters
match in on $EXIT inet from {<rogueIPs>, <annoyers_v4> } to any tag
"ROGUED:$if"
match out on $EXIT inet from any to {<rogueIPs>,<annoyers_v4>} tag
"ROGUED:$if"
block return quick on $EXIT inet tagged "ROGUED:$if"
Regards,
Eric.
