View Single Post
  #4   (View Single Post)  
Old 12th March 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Packets are tested with the rules top down. At each test, PF determines if the rule matches or not.
  1. If a "quick" rule matches, PF stops analysis and applies the rule, block or pass.
  2. If the rule is not "quick", PF notes if the rule matches, and continues analysis of the next rule.
  3. The last matching rule, block or pass, is applied to the packet.
The first "quick" rule that matches is applied, and PF processing stops. Here are your "quick" rules, in order:
  • You block all incoming traffic to port 22 (ssh)
  • You block incoming traffic from "urpf-failed"
  • You block all incoming ICMP traffic ...
  • You block all ICMP redirects. This rule will never match, because of the preceding "quick" rule.
  • You block all incoming traffic to port 25 (smtp)
  • You block all incoming TCP traffic.
  • You block all incoming UDP traffic.
  • You block all incoming traffic. This rule is not logged.
The end result is that all incoming traffic is blocked. Unless one of the prior quick rules matches, the blocked incoming traffic is not logged by pflog(4).
Not one of your normal (non-"quick") rules for incoming traffic will ever be used, as every incoming packet will match a "quick" rule.

For outgoing traffic, the rules are normal. The last matching rule applies.
  • You pass outbound traffic to port 80 (www)
  • You pass all UDP traffic
  • You pass all ICMP traffic
None of your outbound traffic is logged.
Reply With Quote