From owner-freebsd-pf@FreeBSD.ORG Wed May 1 07:46:54 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 63C64B0 for ; Wed, 1 May 2013 07:46:54 +0000 (UTC) (envelope-from noname.esst@yahoo.com) Received: from nm24-vm0.bullet.mail.bf1.yahoo.com (nm24-vm0.bullet.mail.bf1.yahoo.com [98.139.213.161]) by mx1.freebsd.org (Postfix) with ESMTP id F08701059 for ; Wed, 1 May 2013 07:46:53 +0000 (UTC) Received: from [98.139.215.140] by nm24.bullet.mail.bf1.yahoo.com with NNFMP; 01 May 2013 07:46:53 -0000 Received: from [98.139.212.251] by tm11.bullet.mail.bf1.yahoo.com with NNFMP; 01 May 2013 07:46:53 -0000 Received: from [127.0.0.1] by omp1060.mail.bf1.yahoo.com with NNFMP; 01 May 2013 07:46:53 -0000 X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: 47614.11757.bm@omp1060.mail.bf1.yahoo.com Received: (qmail 72729 invoked by uid 60001); 1 May 2013 07:46:53 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1367394412; bh=B0dQevEWdP3hR7dzXZRZQIfoQ6DdgtAZS6rTg9jFRDg=; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:Message-ID:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type; b=CI4hrlrAS6oRQC+z9ofg2RrWxLTtjkd7ESyUOfFUAz2DJdK7am7dS/l92U5NSMmHEqAjfSV78AlGskb1cvkaiooROZcSQaBbJr/7SJ1TrnOP4MjtaSb1Wm2i2usXtte3f0rGMgRQhkFiViSscouQeNhHOXuNnoh7MXXuywRP7PA= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:Message-ID:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type; b=PzDp7j4YnX+Em4bYDGXFXeIHmegxHajJLA0zMK65B1H/pv2NyxfpeQuxLtpddYn4WSrI43Exk71jv1/pvmKtqysUIEfwp++Gadjg1os0up0xoCf+mgZUsA7rrU+hLM4CRQwjTfZOIj1JuiqJM7r5mi4ZdievgPMcF5cXQnVLpJw=; X-YMail-OSG: ltoJKXoVM1nuQvh6kAZylrsIUSAJavSPdpAdIRTi3f.vQu. .5EGaKwE6egDJz9C99D0eKJiln43ZHBrpOfGH4FaZ65czRanHRmLHlYwBHW9 PuUVnmMbMVT95l0NvqUvNc6MbSy2om26daznS7j13i1Vyh4Yuv0jXqflQEsT Ba2j6qCNZySP4xC2aynkxa4Y2rpvXGSX3ROkossawLX3xP6bGTeiRd5PctlO Fw1hN.H6NIA4v7sZtyKr6Qyqna5YYeHw5D4rmvypomaJzbjcYSz0RIupqJsg hyYw96ekplT7hPyM8EkD78FJdOtUz7HMOhQ1uhFAPdy6gv9hPoKA7PpvlbAO wDh2RnMXQzbgP8GpLzyxyOTtjaETIhPnnKVpR1yTGebpZQEpnzTpI1Uh.1VI Ms8zKRSShP6iV.7uSrYB8os3Df2V94XxnAkz8h4o0kj2tAo1NI4KPz0hELg- - Received: from [89.165.120.140] by web162703.mail.bf1.yahoo.com via HTTP; Wed, 01 May 2013 00:46:52 PDT X-Rocket-MIMEInfo: 002.001, SGkgbGlzdApJIGhhdmUgYmVlbiB1c2luZyBJUEZXIGZvciB5ZWFycywgbm93IGJlY2F1c2Ugb2Ygc29tZSByZWFzb25zIEknbSBtaWdyYXRpbmcgdG8gUEYuIEluIElQRlcgd2UgY2FuIHVzZSB0aGUgInNraXB0byIga2V5d29yZCBpbiBvcmRlciB0byBjaGFuZ2UgdGhlIG9yZGVyIG9mIGNoZWNraW5nIHRoZSBydWxlcy4gSG93IGNhbiBJIGRvIHRoaXMgaW4gUEY_IEFub3RoZXIgb25lLCBpcyBpdCBwb3NzaWJsZSB0byBmaWx0ZXIgaW4vb3V0IGNvbWluZyB0cmFmZmljIGFjY29yZGluZyB0byB0aGUgc291cmMBMAEBAQE- X-Mailer: YahooMailWebService/0.8.141.536 Message-ID: <1367394412.46533.YahooMailNeo@web162703.mail.bf1.yahoo.com> Date: Wed, 1 May 2013 00:46:52 -0700 (PDT) From: Nomad Esst Subject: skipto keyword in pf To: pf list MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Content-Filtered-By: Mailman/MimeDel 2.1.14 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: Nomad Esst List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 May 2013 07:46:54 -0000 Hi list I have been using IPFW for years, now because of some reasons I'm migrating to PF. In IPFW we can use the "skipto" keyword in order to change the order of checking the rules. How can I do this in PF? Another one, is it possible to filter in/out coming traffic according to the source/destination MAC address separately? Thank you all ... From owner-freebsd-pf@FreeBSD.ORG Thu May 2 00:29:27 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id B8960B7 for ; Thu, 2 May 2013 00:29:27 +0000 (UTC) (envelope-from ddesimone@verio.net) Received: from relay2-bcrtfl2.verio.net (relay2-bcrtfl2.verio.net [131.103.218.177]) by mx1.freebsd.org (Postfix) with ESMTP id 75F8A1C0E for ; Thu, 2 May 2013 00:29:27 +0000 (UTC) Received: from iad-wprd-xchw01.corp.verio.net (iad-wprd-xchw01.corp.verio.net [198.87.7.164]) by relay2-bcrtfl2.verio.net (Postfix) with ESMTP id 673491FF0060; Wed, 1 May 2013 19:59:51 -0400 (EDT) Thread-Index: Ac5Gx/fuTbam65opS0+7VNf9S7P/wg== Received: from hometx-733b1p1.corp.verio.net ([10.144.2.53]) by iad-wprd-xchw01.corp.verio.net over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675); Wed, 1 May 2013 19:59:50 -0400 Received: by hometx-733b1p1.corp.verio.net (sSMTP sendmail emulation); Wed, 01 May 2013 18:59:47 -0500 Date: Wed, 1 May 2013 18:59:47 -0500 Content-Transfer-Encoding: 7bit From: "David DeSimone" To: "Nomad Esst" Content-class: urn:content-classes:message X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4913 Importance: normal Priority: normal Subject: Re: skipto keyword in pf Message-ID: <20130501235946.GS6396@verio.net> Mail-Followup-To: Nomad Esst , pf list References: <1367394412.46533.YahooMailNeo@web162703.mail.bf1.yahoo.com> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Disposition: inline In-Reply-To: <1367394412.46533.YahooMailNeo@web162703.mail.bf1.yahoo.com> Precedence: bulk User-Agent: Mutt/1.5.20 (2009-12-10) X-OriginalArrivalTime: 01 May 2013 23:59:50.0176 (UTC) FILETIME=[F74CBA00:01CE46C7] Cc: pf list X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 May 2013 00:29:27 -0000 Nomad Esst wrote: > > I have been using IPFW for years, now because of some reasons I'm > migrating to PF. In IPFW we can use the "skipto" keyword in order to > change the order of checking the rules. How can I do this in PF? PF processes rules from top to bottom for every packet, only aborting the rule evaluation in the case that the "quick" keyword is used to render a decision immediately. If you are trying to avoid having to evaluate all of your rules on every packet, you should read up on the "anchor" feature, which allows you to perform a type of "subroutine call", evaluating a different ruleset upon some condition. You could conceivably use that to evaluate some rules and come to a decision without having to evaluate all of the rules in a policy. It would take some rethinking of your existing rules, no doubt. > Another one, is it possible to filter in/out coming traffic according > to the source/destination MAC address separately? As far as I'm aware, PF is a layer-3 only filter, and has no ability to filter on MAC. -- David DeSimone == Network Admin == fox@verio.net "I don't like spinach, and I'm glad I don't, because if I liked it I'd eat it, and I just hate it." -- Clarence Darrow This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio Inc. makes no warranty that this email is error or virus free. Thank you.