Thread: PF firewall
View Single Post
  #4   (View Single Post)  
Old 28th April 2009
geekswordsman geekswordsman is offline
Port Guard
Join Date: Apr 2009
Location: DC Area
Posts: 24

Originally Posted by jggimi View Post
As I stated in, unless quick is used, the last matching rule applies.

I notice you have "block return" in the middle of your ruleset. This will match all packets. Your prior "pass" rule does not apply.
jggimi's right on the money. When PF receives a packet, it goes line by line looking for a rule to apply it to - but it doesn't stop just because it finds one. It keeps going and looks for any other rules that might apply, and finally makes a decision on what to do at the end of pf.conf. The only time that you can skip this from happening is the quick rule, ie
pass in quick on $int_if from any to $int_if port www
Personally, I always build my pf.conf file with the block rule at top - and usually with a nice simple
I can build my exceptions (say, my vonage VoIP line) after the fact, and if something isn't getting through that's supposed to be, I know it must be because I haven't setup a pass rule correctly.
Reply With Quote