Date: Thu, 13 Dec 2007 23:57:05 +0100 From: Erik Norgaard <norgaard@locolomo.org> To: RW <fbsd06@mlists.homeunix.com> Cc: freebsd-questions@freebsd.org Subject: Re: PF blocking even if set to pass all Message-ID: <4761B8C1.3040200@locolomo.org> In-Reply-To: <20071213220700.2fb3a962@gumby.homeunix.com.> References: <2949641c0712130319p3da37aeci92987c64516dabef@mail.gmail.com> <20071213132535.194adf58.ghirai@ghirai.com> <47619345.8000400@locolomo.org> <20071213220700.2fb3a962@gumby.homeunix.com.>
next in thread | previous in thread | raw e-mail | index | archive | help
RW wrote: > On Thu, 13 Dec 2007 21:17:09 +0100 > Erik Norgaard <norgaard@locolomo.org> wrote: > > >> I think it is possible to set a default rule, which for security >> should be block, which means that any packet that falls through your >> rule set will be blocked. > > I'm not aware that there is, the FAQ suggests having > > block in all > block out all > > at the top. > >> Therefore, you should have "pass quick". > > With PF the last rule to be hit will be used, which means the default > is normally applied at the beginning and then overridden. You don't > need quick to avoid dropping off the bottom of the rules, unless you > are trying to replicate an IPFW script in PF. You're right, I'm thinking of the feature from IP-Filter. Cheers, -- Erik Nørgaard Ph: +34.666334818 http://www.locolomo.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4761B8C1.3040200>