View Single Post
Old 29th April 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Quote:
Does it matter in the order that I have place the filtering rules on?
Yes.
  • For standard rules, the last matching rule applies.
  • For "quick" rules, if the rule matches, it is applied and no later rules are evaluated.
Quote:
I have set block policy to drop, is it more secure to have set to return instead?
I believe that there is exactly the same level of security to drop or return, and that return is is more polite, as it allows the sending system to record a rejection without waiting for a timeout. A "drop" is silent, no response is sent. Some may believe that a "drop" is more secure, as there is no response, but as all IP address on the Internet are under constant attack, with or without responses, I don't believe there is any security improvement using drop.
Quote:
I have read somewhere it consumes more resources to have set to drop. Am I missing anything?
As mentioned above, drop requires the sending system to wait until a timeout is reached before releasing resources, which is why I believe return is more polite. It is my understanding there is no performance difference on the receiving system running PF.

You asked for advice on your pf.conf. I noticed:
  1. You are using RCF 1918 addresses (192.168) without defining any Network Address Translation rules. This will likely be a problem.
  2. Your $internal_network and $external_network macros are defined but never used. This should not cause any problems; it merely tends to indicate you built your pf.conf file with copy/paste.
Reply With Quote