On 2010/06/13 21:01, Rod Whitworth wrote: > On Sun, 13 Jun 2010 10:48:49 +0100, Stuart Henderson wrote: > > >On 2010/06/13 17:31, Rod Whitworth wrote: > >> On Sun, 13 Jun 2010 07:44:26 +0100, Jason McIntyre wrote: > >> > >> >On Sun, Jun 13, 2010 at 12:36:52PM +1000, Rod Whitworth wrote: > >> >> The rule: > >> >> pass in on $int_if inet proto tcp to any port ftp \ > >> >> rdr-to 127.0.0.1 port 8021 > >> >> > >> >> in the example ruleset on http://www.openbsd.org/faq/pf/example1.html > >> >> does not work for active ftp from NATted hosts. > >> >> > >> >> There are three solutions which all work. > >> >> > >> >> A> make it "pass in quick ....." > >> >> B> move the rule as-is to the end of the file. (Last match wins......) > >> >> C.> move the rule up to the match rules and change "pass" to "match" > >> >> > >> >> Which do you prefer? > >> >> > >> > > >> >if the point of that rule is the same as the point of the rule in > >> >ftp-proxy(8), then the rule should really match the man page (which uses > >> >"quick") or vice versa. > >> > >> Note that the ftp-proxy manpage does "pass in quick" with no interface > >> limitation...... > > > >So what do you think, maybe 'pass in quick on !egress...' ? > > > > Hmmm, now that I'm getting the hang of match, and it gets a lot of > exposure in man pf.conf, I'm half inclined to change both the example > ruleset AND ftp-proxy manpage to accept the spirit of the pf.conf > descriptions. > > Particularly because it is another example of match usage that > clarifies the pf.conf docs. > > The more examples the better, as long as they all do individual tasks. > > Of course you guys decide.
match is a bit tricky when you're giving sample rules, because it can be affected by rules either side of it - from that perspective 'pass quick' rules are quite attractive. I'll look at a diff later if noone beats me to it. :)
