View Single Post
  #2   (View Single Post)  
Old 23rd July 2008
DutchDaemon's Avatar
DutchDaemon DutchDaemon is offline
Real Name: Ben
Spam Refugee
 
Join Date: Jul 2008
Location: Rotterdam, The Netherlands
Posts: 336
Default

Just a few optimisations and suggestions:

1) 'modulate state' is for outbound tcp only, all others use 'keep state' (ignoring 'synproxy state' for special cases)
2) 'flags S/SA' is for tcp only
3) queueing for TCP acks should only be done on incoming tcp (you will be sending out TCP acks on those, so prioritising takes place there); in other words: rules for incoming tcp are the only ones with 'double queues' like '(q_def, q_pri)' in priq or 'queue(something, acks)' in cbq scheduling - wrong, see below
4) you are encouraged to write your rules in order of prefererred processing and use the 'quick' keyword wherever possible; work from specific to general, and start with a general block all rule.

Yes, you can specifiy a range of ports using a macro. Use pfctl -s rules to see the expanded ruleset after loading them.

Last edited by DutchDaemon; 23rd July 2008 at 02:56 PM.
Reply With Quote