I'm not going to post my pf.conf, I'm sure it's full of redundancies as well.. but I will answer your questions.
Quote:
Originally Posted by Oko
I have couple of questions though. Do I have to have ntp listed in both tcp and udp services in order for time synchronization to work properly? I thought that ntp service is udp protocol.
I noticed that some people listing imap in udp services. Why do they do that?
|
If you look in
/etc/services you'll see that some things are assigned both the tcp and udp port, this is IANA legacy.. just because udp port 22 is reserved for ssh, doesn't mean it's actually used.
IANA maintains a registry that OS vendors can use to maintain their /etc/services database, this file allows the OS and users to map numbers to names.
http://www.iana.org/assignments/port-numbers
Quote:
Originally Posted by Oko
Notice also that I have
Code:
pass out on $ext_if proto udp to any port $udp_services
while most set up I saw have
Code:
pass on $ext_if proto udp to any port $udp_services
Can somebody explain the difference?
|
There is only one difference between those 2 rules, direction... the former passes
out udp packets matching $udp_services, the latter is the same as specifying both
in and
out.
Quote:
Originally Posted by Oko
Also notice that I have
Code:
# Make sure all packets are clean and sane
antispoof quick for $ext_if
antispoof quick for { lo $ext_if }
even though I think that
Code:
antispoof quick for $ext_if
Can somebody explain the difference?
|
I don't understand the question, the first rule is redundant..
{ lo $ext_if } matches on both interfaces in the
lo group and
$ext_if, which pretty much just means
lo0 and
rl0.
Hope that helps...