PF block in / block in all

[sputnik]

As the title suggests, i'm confused about the difference between the two. I don't get the 'all' keyword, unless it's used for direction (e.g. block all, for in and out). But what meaning does it have when used after the direction?

[bsdun]

block in, block out is used with list of addresses to block from.
Example:

Code:

martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
              10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
              0.0.0.0/8, 240.0.0.0/4 }"
block in quick on $ext_if from $martians to any
block out quick on $ext_if from any to $martians

If you want to block inbound traffic from all addresses, you use block in all, if you want to allow outbound traffic to all addresses, you use pass out all.
Example:

Code:

block in all
pass out all keep state

[sputnik]

Hmm, but they both do the same thing"

Code:

block in
pass out keep state

and

Code:

block in all
pass out all keep state

does exactly the same thing.

[fvgit]

Quote:

Originally Posted by sputnik

I don't get the 'all' keyword, unless it's used for direction (e.g. block all, for in and out). But what meaning does it have when used after the direction?

Straight from the manpage pf.conf(5):

Code:

     all     This is equivalent to ‘from any to any’.

And 'from any to any' refers to packet source & destination not interface direction.

[CiotBSD]

It's interesting to read the PF Faq, particularly the shortcuts for creating ruleset, on the section "Elimination of keywords", it explains to define a default deny policy, to return or drop - it's up to you - and use only:

Code:

block

Egual, you can use only:

Code:

block in/out

Because there are same clauses than:

Code:

block in/out all

- https://www.openbsd.org/faq/pf/shortcuts.html#elim

[jggimi]

You may use # pfctl -s rules to determine exactly how your loaded rule set is interpreted by PF. See the pfctl(8) man page for details and for additional modifier options.