Quote:
Does it matter in the order that I have place the filtering rules on?
|
Yes.
- For standard rules, the last matching rule applies.
- For "quick" rules, if the rule matches, it is applied and no later rules are evaluated.
Quote:
I have set block policy to drop, is it more secure to have set to return instead?
|
I believe that there is exactly the same level of security to
drop or
return, and that
return is is more polite, as it allows the sending system to record a rejection without waiting for a timeout. A "drop" is silent, no response is sent. Some may believe that a "drop" is more secure, as there is no response, but as all IP address on the Internet are under constant attack, with or without responses, I don't believe there is any security improvement using
drop.
Quote:
I have read somewhere it consumes more resources to have set to drop. Am I missing anything?
|
As mentioned above,
drop requires the sending system to wait until a timeout is reached before releasing resources, which is why I believe
return is more polite. It is my understanding there is no performance difference on the receiving system running PF.
You asked for advice on your pf.conf. I noticed:
- You are using RCF 1918 addresses (192.168) without defining any Network Address Translation rules. This will likely be a problem.
- Your $internal_network and $external_network macros are defined but never used. This should not cause any problems; it merely tends to indicate you built your pf.conf file with copy/paste.