Quote:
Originally Posted by jggimi
|
jggimi's right on the money. When PF receives a packet, it goes line by line looking for a rule to apply it to - but it doesn't stop just because it finds one. It keeps going and looks for any other rules that might apply, and finally makes a decision on what to do at the end of pf.conf. The only time that you can skip this from happening is the quick rule, ie
Code:
pass in quick on $int_if from any to $int_if port www
Personally, I always build my pf.conf file with the block rule at top - and usually with a nice simple
I can build my exceptions (say, my vonage VoIP line) after the fact, and if something isn't getting through that's supposed to be, I know it must be because I haven't setup a pass rule correctly.