Date: Wed, 6 Feb 2019 15:50:52 +0000 From: Matthew Seaman <matthew@FreeBSD.org> To: freebsd-questions@freebsd.org Subject: Re: pf filter settings Message-ID: <87405f06-72cf-4990-4299-e24ce647a713@FreeBSD.org> In-Reply-To: <08dc977729b0176043c84e504df84f95.squirrel@webmail.harte-lyne.ca> References: <08dc977729b0176043c84e504df84f95.squirrel@webmail.harte-lyne.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
On 06/02/2019 14:48, James B. Byrne via freebsd-questions wrote:
> What is going on? Why is the rule 'block drop in log all' have
> effect and the rule
>
> pass log quick on $int_if \
> from { self $int_if:network } \
> to { self $int_if:network }
>
> does not, despite the quick option and the fact that it occurs first.
Because pf always applies the *last* matching rule. It's the opposite
way round to ipfw(8).
In general, you want to order your pf ruleset from the most general to
the most specific. You can short-circuit searching the whole ruleset by
using the 'quick' modifier -- use this on early and more general rules
to weed out the obviously wrong traffic.
Also, read the docco on:
set skip on { $int_if }
which should achieve what you you want (assuming that you're only
logging traffic on that i/f as a debugging thing.)
Cheers,
Matthew
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?87405f06-72cf-4990-4299-e24ce647a713>