From owner-freebsd-questions@FreeBSD.ORG  Thu Dec 13 22:57:06 2007
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id AA1D916A420
	for <freebsd-questions@freebsd.org>;
	Thu, 13 Dec 2007 22:57:06 +0000 (UTC)
	(envelope-from norgaard@locolomo.org)
Received: from bifrost.locolomo.org (97.pool85-48-194.static.orange.es
	[85.48.194.97])
	by mx1.freebsd.org (Postfix) with ESMTP id 5BCC913C45B
	for <freebsd-questions@freebsd.org>;
	Thu, 13 Dec 2007 22:57:06 +0000 (UTC)
	(envelope-from norgaard@locolomo.org)
Received: from sleipner.local (unknown [192.168.0.37])
	by bifrost.locolomo.org (Postfix) with ESMTP id 46E2439842;
	Thu, 13 Dec 2007 23:57:05 +0100 (CET)
Message-ID: <4761B8C1.3040200@locolomo.org>
Date: Thu, 13 Dec 2007 23:57:05 +0100
From: Erik Norgaard <norgaard@locolomo.org>
User-Agent: Thunderbird 2.0.0.9 (Macintosh/20071031)
MIME-Version: 1.0
To: RW <fbsd06@mlists.homeunix.com>
References: <2949641c0712130319p3da37aeci92987c64516dabef@mail.gmail.com>	<20071213132535.194adf58.ghirai@ghirai.com>	<47619345.8000400@locolomo.org>
	<20071213220700.2fb3a962@gumby.homeunix.com.>
In-Reply-To: <20071213220700.2fb3a962@gumby.homeunix.com.>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 8bit
Cc: freebsd-questions@freebsd.org
Subject: Re: PF blocking even if set to pass all
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Dec 2007 22:57:06 -0000

RW wrote:
> On Thu, 13 Dec 2007 21:17:09 +0100
> Erik Norgaard <norgaard@locolomo.org> wrote:
> 
> 
>> I think it is possible to set a default rule, which for security
>> should be block, which means that any packet that falls through your
>> rule set will be blocked. 
> 
> I'm not aware that there is, the FAQ suggests having 
> 
> block in  all
> block out all
> 
> at the top.
> 
>> Therefore, you should have "pass quick".
> 
> With PF the last rule to be hit will be used, which means the default
> is normally applied at the beginning  and then overridden. You don't
> need quick to avoid dropping off the bottom of the rules, unless you
> are trying to replicate an IPFW script in PF.

You're right, I'm thinking of the feature from IP-Filter.

Cheers,
-- 
Erik Nørgaard
Ph: +34.666334818                           http://www.locolomo.org