From owner-freebsd-questions@FreeBSD.ORG Thu Dec 13 22:40:20 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7F2DD16A417 for ; Thu, 13 Dec 2007 22:40:20 +0000 (UTC) (envelope-from fbsd06+RE=57b9b7b3@mlists.homeunix.com) Received: from turtle-out.mxes.net (turtle-out.mxes.net [216.86.168.191]) by mx1.freebsd.org (Postfix) with ESMTP id 4DC7913C44B for ; Thu, 13 Dec 2007 22:40:19 +0000 (UTC) (envelope-from fbsd06+RE=57b9b7b3@mlists.homeunix.com) Received: from mxout-04.mxes.net (mxout-04.mxes.net [216.86.168.179]) by turtle-in.mxes.net (Postfix) with ESMTP id BA36F163F59 for ; Thu, 13 Dec 2007 17:07:09 -0500 (EST) Received: from gumby.homeunix.com. (unknown [87.81.140.128]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTP id 2C4A5D0503 for ; Thu, 13 Dec 2007 17:07:06 -0500 (EST) Date: Thu, 13 Dec 2007 22:07:00 +0000 From: RW To: freebsd-questions@freebsd.org Message-ID: <20071213220700.2fb3a962@gumby.homeunix.com.> In-Reply-To: <47619345.8000400@locolomo.org> References: <2949641c0712130319p3da37aeci92987c64516dabef@mail.gmail.com> <20071213132535.194adf58.ghirai@ghirai.com> <47619345.8000400@locolomo.org> X-Mailer: Claws Mail 3.0.2 (GTK+ 2.12.3; i386-portbld-freebsd7.0) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: PF blocking even if set to pass all X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Dec 2007 22:40:20 -0000 On Thu, 13 Dec 2007 21:17:09 +0100 Erik Norgaard wrote: > I think it is possible to set a default rule, which for security > should be block, which means that any packet that falls through your > rule set will be blocked. I'm not aware that there is, the FAQ suggests having block in all block out all at the top. > Therefore, you should have "pass quick". With PF the last rule to be hit will be used, which means the default is normally applied at the beginning and then overridden. You don't need quick to avoid dropping off the bottom of the rules, unless you are trying to replicate an IPFW script in PF.